[IT-SecNots] [Security-news] Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-062

Project: Super Login [1]
Date: 2019-August-14
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Description: 
This module improves the Drupal login page with the new features and layout.

The module doesn't sufficiently filter input text in the administration pages
text configuration inputs. For example, the login text field.

The vulnerability is mitigated by the fact it can only be exploited by a user
with the "Administer super login" permission.

Solution: 
Install the latest version:

  * If you use the Super Login module for Drupal 8.x, upgrade to Super Login
    8.x-1.3 [3]
  * If you use the Super Login module for Drupal 7.x, upgrade to Super Login
    7.x-1.4 [4]

Also see the Super Login [5] project page.

Reported By: 
  * Mitch Portier  [6]

Fixed By: 
  * Mitch Portier  [7]
  * Shawn Ostermann  [8]

Coordinated By: 
  * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/super_login
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/super_login/releases/8.x-1.3
[4] https://www.drupal.org/project/super_login/releases/7.x-1.4
[5] https://www.drupal.org/project/super_login
[6] https://www.drupal.org/user/2284182
[7] https://www.drupal.org/user/2284182
[8] https://www.drupal.org/user/61221
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news