[IT-SecNots] [Security-news] Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-019

Project: Display Suite [1]
Version: 7.x-2.147.x-1.9
Date: 2018-April-18
Security risk: *Critical* 17∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting (XSS)

Description: 
Display Suite allows you to take full control over how your content is
displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically via
URLs leading to a reflected cross site scripting (XSS) attack.

This vulnerability is mitigated only by the fact that most modern browsers
protect against reflected XSS via the url.

Solution: 
  * If you use the Display Suite module for Drupal 7.x-1.x, upgrade to 
Display
    Suite 7.x-1.10 [3]
  * If you use the Display Suite module for Drupal 7.x-2.x, upgrade to 
Display
    Suite 7.x-2.15 [4]

Reported By: 
  * Liz Pringi [5]

Fixed By: 
  * Kristof De Jaeger [6] the module maintainer

Coordinated By: 
  * Rick Manelius [7] of the Drupal Security Team
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/ds
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ds/releases/7.x-1.10
[4] https://www.drupal.org/project/ds/releases/7.x-2.15
[5] https://www.drupal.org/u/epringi
[6] https://www.drupal.org/u/swentel
[7] https://www.drupal.org/u/rickmanelius
[8] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news