View online: https://www.drupal.org/sa-contrib-2024-026

Project: View Password [1] Date: 2024-July-31 Security risk: *Less critical* 8∕25 AC:Basic/A:Admin/CI:None/II:None/E:Exploit/TD:Uncommon [2] Vulnerability: Cross Site Scripting

Affected versions: <6.0.4 Description:  The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes.

The module doesn't validate the content of classes. A malicious user with access to the View Password Settings Form could add malicious code in the classes field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer view password".

Solution:  Install the latest version:

* If you use the View Password module upgrade to View Password 6.0.4 [3].

Reported By:  * Ide Braakman [4]

Fixed By:  * Ana Colautti [5] * Ide Braakman [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team

[1] https://www.drupal.org/project/view_password [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/view_password/releases/6.0.4 [4] https://www.drupal.org/user/1879760 [5] https://www.drupal.org/user/2925043 [6] https://www.drupal.org/user/1879760 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316