[IT-SecNots] [Security-news] Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-015

Project: Focal Point [1]
Version: 7.x-1.17.x-1.0
Date: 2019-February-13
Security risk: *Moderately critical* 13∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Description: 
This module enables a privileged user to specify the important part of an
image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when
the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the
ability to generate markup (e.g. with a field that accepts "filtered html")
AND they must have permission to edit a node or entity whose add/edit form
contains the focal point widget.

Solution: 
Install the latest version:

  * If you use the focal_point module for Drupal 7.x, upgrade to Focal Point
    7.x-1.2 [3]

Also see the Focal Point [4] project page.

Reported By: 
  * poiu  [5]

Fixed By: 
  * Alexander Ross  [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/focal_point
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/focal_point/releases/7.x-1.2
[4] https://www.drupal.org/project/focal_point
[5] https://www.drupal.org/user/194009
[6] https://www.drupal.org/user/77375
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news