View online: https://www.drupal.org/sa-contrib-2017-080

Project: Mosaik [1] Version: 7.x-1.x-dev Date: 2017-October-25 Security risk: *Moderately critical* 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross-site scripting

Description:  The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces.

The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mosaik".

Solution:  Install the latest version:

* If you use the Mosaik module for Drupal 7, upgrade to Mosaik 7.x-1.2 [3]

Also see the Mosaik [4] project page.

Reported By:  * Tatar Balazs Janos [5]

Fixed By:  * Tatar Balazs Janos [6] * Adriano Cori [7], the module maintainer

Coordinated By:  * David Rothstein [8] of the Drupal Security Team

[1] https://www.drupal.org/project/mosaik [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/mosaik/releases/7.x-1.2 [4] https://www.drupal.org/project/mosaik [5] https://www.drupal.org/u/tatarbj [6] https://www.drupal.org/u/tatarbj [7] https://www.drupal.org/user/805228 [8] https://www.drupal.org/user/124982