[IT-SecNots] [Security-news] Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-042

Project: Module Filter [1]
Version: 7.x-2.x-dev
Date: 2019-March-27
Security risk: *Moderately critical* 12∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting

Description: 
This module enables you to filter the list of modules on the admin modules
page, and organizes packages into vertical tabs.

The module doesn't sufficiently escape HTML under the scenario leading to a
Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the attacker must have
access to input filtered html that will be included on the modules
administration page e.g. in a block (this configuration is not common).
Further, the Module Filter vertical tabs setting must be enabled.

Solution: 
Install the latest version:

  * If you use the Module Filter module for Drupal 7.x, upgrade to Module
    Filter 7.x-2.2 [3]

Also see the Module Filter [4] project page.

Reported By: 
  * Yonatan Offek  [5]

Fixed By: 
  * greenSkin  [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/module_filter
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/module_filter/releases/7.x-2.2
[4] https://www.drupal.org/project/module_filter
[5] https://www.drupal.org/user/194009
[6] https://www.drupal.org/user/173855
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news