[Security-news] SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed Nov 19 20:46:43 UTC 2014


View online: https://www.drupal.org/node/2378401

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-114
   * Project: Tournament [1]     (third-party module)
   * Version: 7.x
   * Date: 2013-November-19
   * Security risk: 8/25 ( Less Critical)
     AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2]
   * Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

This project allows you to create various types of tournaments (as nodes) and
associated teams, tournaments, and matches.

There are several cases in the project where an account username, node title,
and team entity title are not correctly filtered before being displayed to a
user.

It is possible to create nodes or entities containing XSS or usernames could
be imported with XSS in the strings or created via an add-on module like LDAP
or similar.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permissions "Create new teams" or "Tournament: Create new content"
or "Match: Create new content" or the ability to create users with an XSS
payload in the usernames (Drupal core's input validation prevents XSS
payloads in usernames).


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance
            with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Tournament 7.x-1.x any version

Drupal core is not affected. If you do not use the contributed Tournament [4]
module,
       there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Tournament module for Drupal 7.x, upgrade to Tournament
     7.x-1.2 [5]

Also see the Tournament [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Matt V. [7]

-------- FIXED BY
------------------------------------------------------------

   * Joe Fender [8] the module maintainer
   * Matt Vance [9] provisional member of the Drupal Security Team
   * Greg Knaddison [10] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and  securing your site [15].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]


[1] https://www.drupal.org/project/tournament
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/tournament
[5] https://www.drupal.org/node/2378289
[6] https://www.drupal.org/project/tournament
[7] https://www.drupal.org/u/matt-v.
[8] https://www.drupal.org/u/fenda
[9] https://www.drupal.org/u/matt-v.
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity



More information about the Security-news mailing list