View online: https://www.drupal.org/sa-contrib-2023-024
Project: GridStack [1] Version: 8.x-2.108.x-2.98.x-2.88.x-2.78.x-2.68.x-2.58.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0 Date: 2023-June-28 Security risk: *Less critical* 7∕25 AC:Complex/A:Admin/CI:None/II:None/E:Exploit/TD:Uncommon [2] Vulnerability: Cross Site Scripting
Description: This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI.
The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "administer gridstack".
Solution: Install the latest version:
* If you use the GridStack module prior to version 8.x-2.11 for Drupal 9.x or 10.x, upgrade to GridStack 8.x-2.11 [3]
Reported By: * Mitch Portier [4]
Fixed By: * Gaus Surahman [5] * Mitch Portier [6]
Coordinated By: * Damien McKenna [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/gridstack [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gridstack/releases/8.x-2.11 [4] https://www.drupal.org/user/2284182 [5] https://www.drupal.org/user/159062 [6] https://www.drupal.org/user/2284182 [7] https://www.drupal.org/user/108450 [8] https://www.drupal.org/user/36762