it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038
- Date: Wed, 22 Sep 2021 18:06:49 +0000 (UTC)
- Authentication-results: mail02.piratenpartei.de; dkim=none; spf=pass (mail02.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2021-038
Project: The Better Mega Menu [1]
Date: 2021-September-22
Security risk: *Moderately critical* 12∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting, Information Disclosure, Multiple
vulnerabilities
Description:
This module provides an admin interface for creating drop down menus that
combine Drupal menu items with rich media content.
The module does not sanitize values for CSS properties that are added by
admins and rendered on the front-end, allowing attackers to inject malicious
code into the front-end markup.
This vulnerability is mitigated by the fact that it can only be exploited by
an attacker with permissions to administer TB Mega Menu, or a sophisticated
anonymous user using a site-specific attack that exploits the Cross Site
Request Forgery vulnerability that is fixed by this same release.
Solution:
Install the latest version:
* If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu
8.x-1.4 [3]
Reported By:
* Patrick Fey [4]
Fixed By:
* Patrick Fey [5]
* knaffles [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/tb_megamenu
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tb_megamenu/releases/8.x-1.4
[4] https://www.drupal.org/user/998680
[5] https://www.drupal.org/user/998680
[6] https://www.drupal.org/user/1140512
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/greggles
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038, security-news, 22.09.2021
Archiv bereitgestellt durch MHonArc 2.6.24.