View online: https://www.drupal.org/sa-contrib-2020-025

Project: Internationalization [1] Version: 7.x-1.x-dev Date: 2020-June-17 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting

Description:  The Internationalization (i18n) [3] module is a collection of modules to extend Drupal core multilingual capabilities and allows to build real life multilingual sites.

A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit terms in " on a taxonomy vocabulary with i18n term translation enabled and the victim uses the i18n term translation page.

Solution:  Install the latest version:

* If you use the Internationalization (i18n) [4] module for Drupal 7.x, upgrade to i18n 7.x-1.27 [5]

Also see the Internationalization [6] project page.

Reported By:  * Guillaume MEMEINT [7]

Fixed By:  * Guillaume MEMEINT [8] * Peter Philipp [9]

Coordinated By:  * Greg Knaddison [10] of the Drupal Security Team

[1] https://www.drupal.org/project/i18n [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/i18n [4] https://www.drupal.org/project/i18n [5] https://www.drupal.org/node/3152334 [6] https://www.drupal.org/project/i18n [7] https://www.drupal.org/user/2760067 [8] https://www.drupal.org/user/2760067 [9] https://www.drupal.org/user/762870 [10] https://www.drupal.org/user/36762