Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012
  • Date: Wed, 2 Jun 2021 17:43:27 +0000 (UTC)
  • Authentication-results: mail02.piratenpartei.de; dkim=none; spf=pass (mail02.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2021-012

Project: Frequently Asked Questions [1]
Date: 2021-June-02
Security risk: *Moderately critical* 11∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
The Frequently Asked Questions (faq) module allows users, with appropriate
permissions, to create question and answer pairs which they want displayed on
the 'faq' page. The 'faq' page is automatically generated from the FAQ nodes
configured. Basic Views layouts are also provided and can be customised via
the Views UI (rather than via the module settings page).

The module doesn't sufficiently sanitize editor input leading to a Cross Site
Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role
with the "create faq content" permission.

Solution: 
Install the latest version:

* If you use the Frequently Asked Questions module for Drupal 7.x, upgrade
to Frequently Asked Questions 7.x-1.3 [3]

Reported By: 
* Mitch Portier [4]

Fixed By: 
* Mitch Portier [5]
* Mohammed Razem [6]
* Vijay Mani [7] Provisional Member of the Drupal Security Team

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/faq
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/faq/releases/7.x-1.3
[4] https://www.drupal.org/user/2284182
[5] https://www.drupal.org/user/2284182
[6] https://www.drupal.org/user/255384
[7] https://www.drupal.org/user/93488
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012, security-news, 02.06.2021

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang