View online: https://www.drupal.org/sa-contrib-2019-015

Project: Focal Point [1] Version: 7.x-1.17.x-1.0 Date: 2019-February-13 Security risk: *Moderately critical* 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting

Description:  This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Solution:  Install the latest version:

* If you use the focal_point module for Drupal 7.x, upgrade to Focal Point 7.x-1.2 [3]

Also see the Focal Point [4] project page.

Reported By:  * poiu [5]

Fixed By:  * Alexander Ross [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team

[1] https://www.drupal.org/project/focal_point [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/focal_point/releases/7.x-1.2 [4] https://www.drupal.org/project/focal_point [5] https://www.drupal.org/user/194009 [6] https://www.drupal.org/user/77375 [7] https://www.drupal.org/user/36762