[Security-news] RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002
security-news at drupal.org
security-news at drupal.org
Wed Jan 13 20:29:57 UTC 2016
View online: https://www.drupal.org/node/2649800
* Advisory ID: DRUPAL-SA-CONTRIB-2016-002
* Project: RedHen CRM [1] (third-party module)
* Version: 7.x
* Date: 2016-January-13
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Redhen set of modules allows you to build a CRM features in a Drupal
site.
When rendering individual Contacts, this module does not properly filter the
certain data prior to display. When rendering listing of notes or engagement
scores, these modules do not properly filter certain data before display.
This vulnerability is mitigated by the fact that an attacker must have an
authenticated user account with access to edit a contact, administer
engagement scores, or administer taxonomies.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Redhen 7.x-1.x versions prior to 7.x-1.11.
Drupal core is not affected. If you do not use the contributed RedHen CRM [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the RedHen module for Drupal 7.x, upgrade to Redhen 7.x-1.11
[5]
Workaround (if you are unable to update the module immediately):
* In the display settings for your Redhen Contact Types
(admin/structure/redhen/contact_types), hide "name" on all display modes.
* Restrict access to "Administer Engagement Scores" and "Administer
Taxonomies" to trusted users.
Also see the RedHen CRM [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Mikko Rantanen [7]
* Gabe Carleton-Barnes [8], a module maintainer
* Greg Knaddison [9] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jaymz Rhime [10], a module maintainer
* Gabe Carleton-Barnes [11], a module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/redhen
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/redhen
[5] https://www.drupal.org/node/2649780
[6] https://www.drupal.org/project/redhen
[7] https://www.drupal.org/user/1004738
[8] https://www.drupal.org/user/1682976
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/3181097
[11] https://www.drupal.org/user/1682976
[12] https://www.drupal.org/user/36762
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
More information about the Security-news
mailing list