[IT-SecNots] [Security-news] Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-057

Project: Meta tags quick [1]
Date: 2019-July-17
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
Metatags quick is a module that manages meta tags (tags that appear in HTML's
head section) as Drupal 7 fields.
Administration page of metatags quick does not sanitize the output of blocks
that appear on the same page. This allows an attacker to inject malicious
JavaScript in block markup.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer blocks".

Solution: 
Install the latest version.

If you use the Metatags quick   module for Drupal 7.x, upgrade to metatags
quick 7.x-2.10. [3]

Reported By: 
  * Yonatan Offek  [4]

Fixed By: 
  * Valery Lourie  [5]
  * Yonatan Offek  [6]

Coordinated By: 
  * Greg Knaddison  [7] of the Drupal Security Team


[1] https://www.drupal.org/project/metatags_quick
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/metatags_quick/releases/7.x-2.10
[4] https://www.drupal.org/user/194009
[5] https://www.drupal.org/user/239562
[6] https://www.drupal.org/user/194009
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news