View online: https://www.drupal.org/sa-contrib-2023-020
Project: Office Hours [1] Version: 8.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0 Date: 2023-June-14 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting
Description: This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location.
The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer display" regardless of other configurations. In some scenarios, the vulnerability can be exploited by a user with "Create content" or "Edit content" for a relevant Content type.
Solution: Install the latest version:
* If you use the 'Office hours' module for Drupal 8.x, upgrade to office_hours 8.x-1.11 [3]
Reported By: * John Voskuilen [4] * Mitch Portier [5]
Fixed By: * John Voskuilen [6] * Mitch Portier [7]
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/office_hours [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/office_hours/releases/8.x-1.11 [4] https://www.drupal.org/user/591042 [5] https://www.drupal.org/user/2284182 [6] https://www.drupal.org/user/591042 [7] https://www.drupal.org/user/2284182 [8] https://www.drupal.org/user/36762