View online: https://www.drupal.org/sa-contrib-2019-039

Project: AddToAny Share Buttons [1] Date: 2019-March-20 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting

Description:  This module enables you to add social media share buttons on your website to its content and pages.

The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer addtoany".

Solution:  * If you use the AddToAny Share Buttons module for Drupal 7.x, upgrade to AddToAny Share Buttons 7.x-4.16 [3]

Reported By:  * Balazs Janos Tatar [4]

Fixed By:  * Balazs Janos Tatar [5] * micropat [6]

Coordinated By:  * Balazs Janos Tatar [7]

[1] https://www.drupal.org/project/addtoany [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/addtoany/releases/7.x-4.16 [4] https://www.drupal.org/user/649590 [5] https://www.drupal.org/user/649590 [6] https://www.drupal.org/user/260224 [7] https://www.drupal.org/user/649590