[IT-SecNots] [Security-news] GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2023-024

Project: GridStack [1]
Version: 
8.x-2.108.x-2.98.x-2.88.x-2.78.x-2.68.x-2.58.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0
Date: 2023-June-28
Security risk: *Less critical* 7∕25
AC:Complex/A:Admin/CI:None/II:None/E:Exploit/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Description: 
This module enables you to create dynamic layouts and add sample color
palettes for color selection hints via its UI.

The module doesn't sufficiently sanitize the module's settings in certain
scenarios leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permissions "administer gridstack".

Solution: 
Install the latest version:

  * If you use the GridStack module prior to version 8.x-2.11 for Drupal 9.x
    or 10.x, upgrade to GridStack 8.x-2.11 [3]

Reported By: 
  * Mitch Portier [4]

Fixed By: 
  * Gaus Surahman [5]
  * Mitch Portier [6]

Coordinated By: 
  * Damien McKenna [7] of the Drupal Security Team
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/gridstack
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/gridstack/releases/8.x-2.11
[4] https://www.drupal.org/user/2284182
[5] https://www.drupal.org/user/159062
[6] https://www.drupal.org/user/2284182
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news