Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055
  • Date: Wed, 20 Dec 2023 17:53:16 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 13430436F1
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 160A2436E0
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org D714C40917
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3387A402B1
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-055

Project: Data Visualisation Framework [1]
Date: 2023-December-20
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Affected versions: < 2.0.2
Description: 
This module allows you to turn various data sources (Eg CSV or JSON file)
into interactive visualisation. The DVF module provides a field (storage,
widget & formatter) that can be added to any entity.

This module uses two third-party JS libraries having from low to medium
vulnerabilities. One of the vulnerabilities is a Cross Site Scripting
vulnerability that may affect Drupal sites as a Persistent Cross Site
Scripting vulnerability (i.e. not reflected). This release updates the
libraries.

The issue is mitigated by the fact an attacker needs the permission to create
or edit content that is displayed using the Data Visualization Framework.

Solution: 
Install the latest version:

* If you use the Data Visualisation Framework for Drupal module (DVF for
short), upgrade to dvf 2.0.2 [3]

Reported By: 
* Joseph Zhao [4]

Fixed By: 
* Joseph Zhao [5]

Coordinated By: 
* Damien McKenna [6] of the Drupal Security Team
* Greg Knaddison [7] of the Drupal Security Team
* cilefen [8] of the Drupal Security Team
* Lee Rowlands [9] of the Drupal Security Team


[1] https://www.drupal.org/project/dvf
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/dvf/releases/2.0.2
[4] https://www.drupal.org/user/1987218
[5] https://www.drupal.org/user/1987218
[6] https://www.drupal.org/u/DamienMcKenna
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/u/cilefen
[9] https://www.drupal.org//www.drupal.org/u/larowlan

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055, security-news, 20.12.2023

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang