[IT-SecNots] [Security-news] Workflow - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-049

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-049

Project: Workflow [1]
Date: 2019-May-22
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
The Workflow module enables you to create arbitrary Workflows, and assign
them to Entities.
The module doesn't sufficiently escape HTML in the field settings leading to
a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer nodes" and "administer workflow".

Solution: 
Install the latest version:

  * If you use the Workflow module for Drupal 7.x, upgrade to Workflow
    7.x-2.12 [3]

Reported By: 
  * Roberto Mariani  [4]

Fixed By: 
  * Roberto Mariani  [5]
  * David Snopek  [6] of the Drupal Security Team
  * John Voskuilen  [7]
  * Sarah Hood  [8]
  * Greg Knaddison  [9] of the Drupal Security Team

Coordinated By: 
  * Michael Hess  [10] of the Drupal Security Team


[1] https://www.drupal.org/project/workflow
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/workflow/releases/7.x-2.12
[4] https://www.drupal.org/user/1135096
[5] https://www.drupal.org/user/1135096
[6] https://www.drupal.org/user/266527
[7] https://www.drupal.org/user/591042
[8] https://www.drupal.org/user/275249
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news