[IT-SecNots] [Security-news] Back To Top - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-040

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-040

Project: Back To Top [1]
Date: 2019-March-20
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
This module enables you to add a button that hovers in the bottom of your
screen and allows users to smoothly scroll up the page using jQuery.

The module doesn't sufficiently sanitize the code that gets printed on pages
leading to a Cross Site Scripting (XSS) issue.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "access backtotop settings".

Solution: 
Install the latest version:

  * If you use the Back To Top module for Drupal 7.x, upgrade to Back To Top
    7.x-1.6 [3]

Reported By: 
  * Balazs Janos Tatar  [4]

Fixed By: 
  * Mattias Axelsson  [5]
  * Balazs Janos Tatar  [6]

Coordinated By: 
  * Balazs Janos Tatar  [7]


[1] https://www.drupal.org/project/back_to_top
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/back_to_top/releases/7.x-1.6
[4] https://www.drupal.org/user/649590
[5] https://www.drupal.org/user/765764
[6] https://www.drupal.org/user/649590
[7] https://www.drupal.org/user/649590

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news