View online: https://www.drupal.org/sa-contrib-2018-080
Project: E-Sign [1] Version: 7.x-1.9 Date: 2018-December-19 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting
Description: This module allows for integration of Signature Pad, an electronic-signing script, into Drupal for both nodes (content), the Field API (FAPI), and Webforms.
The module doesn't sufficiently filter user input when displaying a signature.
The vulnerability is mitigated by the fact that an attacker must have the ability to submit a signature. That permission might be associated with submitting a webform or creating or editing a node depending on site configuration.
Solution: Install the latest version:
* If you use the Esign module for Drupal 7.x, upgrade to Esign 7.x-1.10 [3]
Also see the E-Sign [4] project page.
Reported By: * Mitch Portier [5]
Fixed By: * Adam Weiss [6] * Mitch Portier [7]
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/esign [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/esign/releases/7.x-1.10 [4] https://www.drupal.org/project/esign [5] https://www.drupal.org/user/2284182 [6] https://www.drupal.org/user/1199320 [7] https://www.drupal.org/user/2284182 [8] https://www.drupal.org/u/greggles