View online: https://www.drupal.org/sa-contrib-2019-057
Project: Meta tags quick [1] Date: 2019-July-17 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting
Description: Metatags quick is a module that manages meta tags (tags that appear in HTML's head section) as Drupal 7 fields. Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution: Install the latest version.
If you use the Metatags quick module for Drupal 7.x, upgrade to metatags quick 7.x-2.10. [3]
Reported By: * Yonatan Offek [4]
Fixed By: * Valery Lourie [5] * Yonatan Offek [6]
Coordinated By: * Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/metatags_quick [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/metatags_quick/releases/7.x-2.10 [4] https://www.drupal.org/user/194009 [5] https://www.drupal.org/user/239562 [6] https://www.drupal.org/user/194009 [7] https://www.drupal.org/user/36762