[IT-SecNots] [Security-news] View Password - Less critical - Cross Site Scripting - SA-CONTRIB-2024-026

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-026

Project: View Password [1]
Date: 2024-July-31
Security risk: *Less critical* 8∕25
AC:Basic/A:Admin/CI:None/II:None/E:Exploit/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Affected versions: <6.0.4
Description: 
The View Password module enables you to add a help icon button next to the
password input field to toggle the password visibility. The administrative
user is allowed to add classes to this icon for styling purposes.

The module doesn't validate the content of classes. A malicious user with
access to the View Password Settings Form could add malicious code in the
classes field.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer view password".

Solution: 
Install the latest version:

  * If you use the View Password module upgrade to View Password 6.0.4 [3].

Reported By: 
  * Ide Braakman [4]

Fixed By: 
  * Ana Colautti [5]
  * Ide Braakman [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team
  * Juraj Nemec [8] of the Drupal Security Team


[1] https://www.drupal.org/project/view_password
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/view_password/releases/6.0.4
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/2925043
[6] https://www.drupal.org/user/1879760
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/272316

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news