[IT-SecNots] [Security-news] The Better Mega Menu - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-039

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-039

Project: The Better Mega Menu [1]
Date: 2021-September-22
Security risk: *Moderately critical* 13∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
This module provides an admin interface for creating drop down menus that
combine Drupal menu items with rich media content.

It does not sufficiently sanitize user input such that an admin with
permissions to edit a menu may be able to exploit one or more
Cross-Site-Scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have
permission to administer mega menus and/or create or edit menu links, to
inject the XSS.

Solution: 
Install the latest version:

  * If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu
    8.x-1.4 [3]

Reported By: 
  * Patrick Fey [4]

Fixed By: 
  * Patrick Fey [5]
  * Wade Stewart [6]
  * Greg Knaddison [7] of the Drupal Security Team
  * Chris Panza [8]
  * knaffles [9]

Coordinated By: 
  * Damien McKenna [10] of the Drupal Security Team
  * Greg Knaddison [11] of the Drupal Security Team


[1] https://www.drupal.org/project/tb_megamenu
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tb_megamenu/releases/8.x-1.4
[4] https://www.drupal.org/user/998680
[5] https://www.drupal.org/user/998680
[6] https://www.drupal.org/user/3190381
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/1215854
[9] https://www.drupal.org/user/1140512
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news