Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039
  • Date: Wed, 20 Mar 2019 16:58:32 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-039

Project: AddToAny Share Buttons [1]
Date: 2019-March-20
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
This module enables you to add social media share buttons on your website to
its content and pages.

The module doesn't sufficiently mark its administration permission
restricted, allowing cross site scripting vulnerabilities to users who have
access to its admin settings.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer addtoany".

Solution: 
* If you use the AddToAny Share Buttons module for Drupal 7.x, upgrade to
AddToAny Share Buttons 7.x-4.16 [3]

Reported By: 
* Balazs Janos Tatar [4]

Fixed By: 
* Balazs Janos Tatar [5]
* micropat [6]

Coordinated By: 
* Balazs Janos Tatar [7]


[1] https://www.drupal.org/project/addtoany
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/addtoany/releases/7.x-4.16
[4] https://www.drupal.org/user/649590
[5] https://www.drupal.org/user/649590
[6] https://www.drupal.org/user/260224
[7] https://www.drupal.org/user/649590

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039, security-news, 20.03.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang