[IT-SecNots] [Security-news] Linkit - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-042

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-042

Project: Linkit [1]
Date: 2021-September-29
Security risk: *Moderately critical* 12∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting

Description: 
Linkit provides an easy interface for internal and external linking with
WYSIWYG editors by using an autocomplete field.

It does not sufficiently sanitize user input.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create or edit an entity bundle.

Solution: 
Install the latest version:

  * If you use the Linkit module for Drupal 8.x, upgrade to Linkit 8.x-4.4 
[3]

Reported By: 
  * Patrick Fey [4]

Fixed By: 
  * Emil Stjerneman [5]
  * Patrick Fey [6]
  * John [7]

Coordinated By: 
  * Damien McKenna [8] of the Drupal Security Team
  * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/linkit
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/linkit/releases/8.x-4.4
[4] https://www.drupal.org/user/998680
[5] https://www.drupal.org/user/464598
[6] https://www.drupal.org/user/998680
[7] https://www.drupal.org/user/3331569
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news