View online: https://www.drupal.org/sa-contrib-2018-059

Project: Fraction [1] Date: 2018-September-05 Security risk: *Less critical* 5∕25 6/25 ( Less Critical) AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: XSS vulnerability

Description:  This module enables you to create fields for storing decimal values as two integers (numerator and denominator) for maximum precision.

The module doesn't sufficiently filter XSS strings out of field labels.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to manage field configuration.

Solution:  Install the latest version:

* If you use the Fraction module for Drupal 7.x, upgrade to Fraction 7.x-1.7 [3]. * If you use the Fraction module for Drupal 8.x, upgrade to Fraction 8.x-1.2 [4].

Also see the Fraction project page [5].

Reported By:  * bucefal91 [6]

Fixed By:  * bucefal91 [7] * Michael Stenta [8], the module maintainer.

Coordinated By:  * Michael Hess [9] of the security team.

[1] https://www.drupal.org/project/fraction [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/fraction/releases/7.x-1.7 [4] https://www.drupal.org/project/fraction/releases/8.x-1.2 [5] https://www.drupal.org/project/fraction [6] https://www.drupal.org/user/504128 [7] https://www.drupal.org/user/504128 [8] https://www.drupal.org/user/581414 [9] https://www.drupal.org/u/mlhess