View online: https://www.drupal.org/sa-contrib-2018-047

Project: EU Cookie Compliance [1] Date: 2018-July-11 Security risk: *Moderately critical* 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting

Description:  This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their personal information.

This module does not sanitize some inputs leading to XSS. This is mitigated by the attacker having the permission "Administer EU Cookie Compliance."

Solution:  Install the latest version:

* If you use the eu_cookie_compliance module for Drupal 7.x, upgrade to eu_cookie_compliance 7.x-1.24 [3] * If you use the eu_cookie_compliance module for Drupal 8.x, upgrade to eu_cookie_compliance 8.x-1.1 [4]

Also see the EU Cookie Compliance [5] project page.

Reported By:  * Alexander Hass [6]

Fixed By:  * Sven Berg Ryen [7]

Coordinated By:  * Michael Hess [8] of the Drupal Security Team

[1] https://www.drupal.org/project/eu_cookie_compliance [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/eu_cookie_compliance/releases/7.x-1.24 [4] https://www.drupal.org/project/eu_cookie_compliance/releases/8.x-1.1 [5] https://www.drupal.org/project/eu-cookie-compliance [6] https://www.drupal.org/user/85918 [7] https://www.drupal.org/user/667244 [8] https://www.drupal.org/u/mlhess