[IT-SecNots] [Security-news] EU Cookie Compliance - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-047

Project: EU Cookie Compliance [1]
Date: 2018-July-11
Security risk: *Moderately critical* 12∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting

Description: 
This module addresses the General Data Protection Regulation (GDPR) that came
into effect 25th May 2018, and the EU Directive on Privacy and Electronic
Communications from 2012. It provides a banner where you can gather consent
from the user to store cookies on their computer and handle their personal
information.

This module does not sanitize some inputs leading to XSS.   This is mitigated
by the attacker having the permission "Administer EU Cookie Compliance."

Solution: 
Install the latest version:

  * If you use the eu_cookie_compliance module for Drupal 7.x, upgrade to
    eu_cookie_compliance 7.x-1.24 [3]
  * If you use the eu_cookie_compliance module for Drupal 8.x, upgrade to
    eu_cookie_compliance 8.x-1.1 [4]

Also see the EU Cookie Compliance [5] project page.

Reported By: 
  * Alexander Hass  [6]

Fixed By: 
  * Sven Berg Ryen  [7]

Coordinated By: 
  * Michael Hess [8] of the Drupal Security Team


[1] https://www.drupal.org/project/eu_cookie_compliance
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/eu_cookie_compliance/releases/7.x-1.24
[4] https://www.drupal.org/project/eu_cookie_compliance/releases/8.x-1.1
[5] https://www.drupal.org/project/eu-cookie-compliance
[6] https://www.drupal.org/user/85918
[7] https://www.drupal.org/user/667244
[8] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news