View online: https://www.drupal.org/sa-contrib-2019-040

Project: Back To Top [1] Date: 2019-March-20 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting

Description:  This module enables you to add a button that hovers in the bottom of your screen and allows users to smoothly scroll up the page using jQuery.

The module doesn't sufficiently sanitize the code that gets printed on pages leading to a Cross Site Scripting (XSS) issue.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access backtotop settings".

Solution:  Install the latest version:

* If you use the Back To Top module for Drupal 7.x, upgrade to Back To Top 7.x-1.6 [3]

Reported By:  * Balazs Janos Tatar [4]

Fixed By:  * Mattias Axelsson [5] * Balazs Janos Tatar [6]

Coordinated By:  * Balazs Janos Tatar [7]

[1] https://www.drupal.org/project/back_to_top [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/back_to_top/releases/7.x-1.6 [4] https://www.drupal.org/user/649590 [5] https://www.drupal.org/user/765764 [6] https://www.drupal.org/user/649590 [7] https://www.drupal.org/user/649590