[IT-SecNots] [Security-news] Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-059

Project: Fraction [1]
Date: 2018-September-05
Security risk: *Less critical* 5∕25  6/25 ( Less Critical)
AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: XSS vulnerability

Description: 
This module enables you to create fields for storing decimal values as two
integers (numerator and denominator) for maximum precision.

The module doesn't sufficiently filter XSS strings out of field labels.

This vulnerability is mitigated by the fact that an attacker must have a role
with the ability to manage field configuration.

Solution: 
Install the latest version:

  * If you use the Fraction module for Drupal 7.x, upgrade to Fraction 
7.x-1.7
    [3].
  * If you use the Fraction module for Drupal 8.x, upgrade to Fraction 
8.x-1.2
    [4].

Also see the Fraction project page [5].

Reported By: 
  * bucefal91 [6]

Fixed By: 
  * bucefal91 [7]
  * Michael Stenta [8], the module maintainer.

Coordinated By: 
  * Michael Hess [9] of the security team.


[1] https://www.drupal.org/project/fraction
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/fraction/releases/7.x-1.7
[4] https://www.drupal.org/project/fraction/releases/8.x-1.2
[5] https://www.drupal.org/project/fraction
[6] https://www.drupal.org/user/504128
[7] https://www.drupal.org/user/504128
[8] https://www.drupal.org/user/581414
[9] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news