[IT-SecNots] [Security-news] Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2017-080

Project: Mosaik [1]
Version: 7.x-1.x-dev
Date: 2017-October-25
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting

Description: 
The Mosaik module enables you to create pages or complex blocks in Drupal
with the logic of a real mosaic and its pieces.

The module doesn't sufficiently sanitize the titles of fieldsets on its
administration pages or the titles of blocks that it creates. This
vulnerability is mitigated by the fact that an attacker must have a role with
the permission "administer mosaik".

Solution: 
Install the latest version:

  * If you use the Mosaik module for Drupal 7, upgrade to Mosaik 7.x-1.2 [3]

Also see the Mosaik [4] project page.

Reported By: 
  * Tatar Balazs Janos [5]

Fixed By: 
  * Tatar Balazs Janos [6]
  * Adriano Cori [7], the module maintainer

Coordinated By: 
  * David Rothstein [8] of the Drupal Security Team


[1] https://www.drupal.org/project/mosaik
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/mosaik/releases/7.x-1.2
[4] https://www.drupal.org/project/mosaik
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/u/tatarbj
[7] https://www.drupal.org/user/805228
[8] https://www.drupal.org/user/124982

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news