[IT-SecNots] [Security-news] Smart Trim- Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2480321

   * Advisory ID: DRUPAL-SA-CONTRIB-2015-102
   * Project: Smart Trim [1]     (third-party module)
   * Version: 7.x
   * Date: 2015-April-29
   * Security risk: 5/25 ( Less Critical)
     AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:Default [2]
   * Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

This module implements a new field formatter for textfields (text, text_long,
and text_with_summary, if you want to get technical) that improves upon the
"Summary or Trimmed" formatter built into Drupal 7.

The module doesn't sufficiently filter user input via the field settings
form.

This vulnerability is mitigated by the fact that only administrative users
who can administer field types can exploit it.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance
            with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Smart Trim  7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Smart Trim [4]
module,
       there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the smart_trim module for Drupal 7.x, upgrade to
     smart_trim-7.x-1.5 [5]

Also see the Smart Trim [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Tom Lambert [7]

-------- FIXED BY
------------------------------------------------------------

   * Mark Casias [8] the module maintainer.
   * Greg Knaddison [9] of the Drupal Security Team.
   * Damien McKenna [10], provisional member of the Drupal Security Team.

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison [11] of the Drupal Security Team.
   * Damien McKenna [12], provisional member of the Drupal Security Team.

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].

Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and  securing your site [16].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]


[1] https://www.drupal.org/project/smart_trim
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/smart_trim
[5] https://www.drupal.org/node/2480289
[6] https://www.drupal.org/project/smart_trim
[7] https://www.drupal.org/user/28229
[8] https://www.drupal.org/user/206687
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/u/damienmckenna
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news