View online: https://www.drupal.org/sa-contrib-2019-054 Project: Advanced Forum [1] Version: 7.x-2.x-dev Date: 2019-June-26 Security risk: *Critical* 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description:  Advanced Forum builds on and enhances Drupal's core forum module. When used in combination with other Drupal contributed modules, many of which are automatically used by Advanced Forum, you can achieve much of what stand alone software provides. The module doesn't sufficiently sanitise user input in specific circumstances. It is not possible to disable the vulnerable functionality. This vulnerability is mitigated by the fact that an attacker must have a role with permission to create forum content. Solution:  Install the latest version: * If you use the Advanced Forum module for Drupal 7.x, upgrade to Advanced Forum 7.x-2.8 [3] Also see the Advanced Forum [4] project page. Reported By:  * Drew Webber [5] of the Drupal Security Team Fixed By:  * Drew Webber [6] of the Drupal Security Team * Vijaya Chandran Mani [7] Provisonal Member of the Drupal Security Team Coordinated By:  * Drew Webber [8] of the Drupal Security Team [1] https://www.drupal.org/project/advanced_forum [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/advanced_forum/releases/7.x-2.8 [4] https://www.drupal.org/project/advanced_forum [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/255969 [7] https://www.drupal.org/user/93488 [8] https://www.drupal.org/user/255969