[IT-SecNots] [Security-news] Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-092

Project: Smart Trim [1]
Version: 8.x-1.18.x-1.08.x-1.0-beta1
Date: 2019-December-11
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting

Description: 
The Smart Trim module allows site builders additional control with text
summary fields.

The module doesn't sufficiently filter text when certain options are
selected.

This vulnerability is mitigated by the fact that an attacker must have a role
with the ability to create content on the site when certain options are
selected for the trimmed output.

Solution: 
Install the latest version:

  * If you use the Smart Trim module for Drupal 8.x, upgrade to
    smart_trim-8.x-1.2 [3]

Also see the Smart Trim [4] project page.

Reported By: 
  * Anne [5]
  * Adam Shepherd [6]

Fixed By: 
  * Anne [7]
  * Mark Casias [8]

Coordinated By: 
  * Damien McKenna [9] of the Drupal Security Team


[1] https://www.drupal.org/project/smart_trim
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/smart_trim/releases/8.x-1.2
[4] https://www.drupal.org/project/smart_trim
[5] https://www.drupal.org/u/ckaotik
[6] https://www.drupal.org/user/2650563
[7] https://www.drupal.org/u/ckaotik
[8] https://www.drupal.org/user/206687
[9] https://www.drupal.org/u/damienmckenna

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news