View online: https://www.drupal.org/sa-contrib-2018-019

Project: Display Suite [1] Version: 7.x-2.147.x-1.9 Date: 2018-April-18 Security risk: *Critical* 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site scripting (XSS)

Description:  Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack.

This vulnerability is mitigated only by the fact that most modern browsers protect against reflected XSS via the url.

Solution:  * If you use the Display Suite module for Drupal 7.x-1.x, upgrade to Display Suite 7.x-1.10 [3] * If you use the Display Suite module for Drupal 7.x-2.x, upgrade to Display Suite 7.x-2.15 [4]

Reported By:  * Liz Pringi [5]

Fixed By:  * Kristof De Jaeger [6] the module maintainer

Coordinated By:  * Rick Manelius [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team

[1] https://www.drupal.org/project/ds [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ds/releases/7.x-1.10 [4] https://www.drupal.org/project/ds/releases/7.x-2.15 [5] https://www.drupal.org/u/epringi [6] https://www.drupal.org/u/swentel [7] https://www.drupal.org/u/rickmanelius [8] https://www.drupal.org/u/greggles