[IT-SecNots] [Security-news] Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-054

Project: Advanced Forum [1]
Version: 7.x-2.x-dev
Date: 2019-June-26
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
Advanced Forum builds on and enhances Drupal's core forum module. When used
in combination with other Drupal contributed modules, many of which are
automatically used by Advanced Forum, you can achieve much of what stand
alone software provides.

The module doesn't sufficiently sanitise user input in specific
circumstances. It is not possible to disable the vulnerable functionality.

This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create forum content.

Solution: 
Install the latest version:

  * If you use the Advanced Forum module for Drupal 7.x, upgrade to Advanced
    Forum 7.x-2.8 [3]

Also see the Advanced Forum [4] project page.

Reported By: 
  * Drew Webber [5] of the Drupal Security Team

Fixed By: 
  * Drew Webber [6] of the Drupal Security Team
  * Vijaya Chandran Mani [7] Provisonal Member of the Drupal Security Team

Coordinated By: 
  * Drew Webber [8] of the Drupal Security Team


[1] https://www.drupal.org/project/advanced_forum
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/advanced_forum/releases/7.x-2.8
[4] https://www.drupal.org/project/advanced_forum
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/93488
[8] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news