View online: https://www.drupal.org/sa-contrib-2019-073

Project: Maxlength [1] Date: 2019-October-09 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting

Description:  This module enables you to set a maximum length allowed on text fields and indicate how many characters are left.

The module doesn't sufficiently filter strings leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact the malicious script will not be triggered in the browser of UID 1 nor any user with "Bypass maxlength setting".

Solution:  Install the latest version:

* If you use the Maxlength module for Drupal 7.x, upgrade to Maxlength 7.x-3.3 [3]

Also see the Maxlength [4] project page.

Reported By:  * Yonatan Offek [5]

Fixed By:  * Yonatan Offek [6] * Aron Novak [7] * Daniel Wehner [8]

Coordinated By:  * Greg Knaddison [9] Drupal Security Team member

[1] https://www.drupal.org/project/maxlength [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/maxlength/releases/7.x-3.3 [4] https://www.drupal.org/project/maxlength [5] https://www.drupal.org/user/194009 [6] https://www.drupal.org/user/194009 [7] https://www.drupal.org/user/61864 [8] https://www.drupal.org/user/99340 [9] https://www.drupal.org/user/36762