View online: https://www.drupal.org/sa-contrib-2023-055
Project: Data Visualisation Framework [1] Date: 2023-December-20 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting
Affected versions: < 2.0.2 Description: This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.
This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.
The issue is mitigated by the fact an attacker needs the permission to create or edit content that is displayed using the Data Visualization Framework.
Solution: Install the latest version:
* If you use the Data Visualisation Framework for Drupal module (DVF for short), upgrade to dvf 2.0.2 [3]
Reported By: * Joseph Zhao [4]
Fixed By: * Joseph Zhao [5]
Coordinated By: * Damien McKenna [6] of the Drupal Security Team * Greg Knaddison [7] of the Drupal Security Team * cilefen [8] of the Drupal Security Team * Lee Rowlands [9] of the Drupal Security Team
[1] https://www.drupal.org/project/dvf [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/dvf/releases/2.0.2 [4] https://www.drupal.org/user/1987218 [5] https://www.drupal.org/user/1987218 [6] https://www.drupal.org/u/DamienMcKenna [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/u/cilefen [9] https://www.drupal.org//www.drupal.org/u/larowlan