[Security-news] Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

security-news at drupal.org security-news at drupal.org
Wed Oct 25 16:42:52 UTC 2017


View online: https://www.drupal.org/sa-contrib-2017-080

Project: Mosaik [1]
Version: 7.x-1.x-dev
Date: 2017-October-25
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting

Description: 
The Mosaik module enables you to create pages or complex blocks in Drupal
with the logic of a real mosaic and its pieces.

The module doesn't sufficiently sanitize the titles of fieldsets on its
administration pages or the titles of blocks that it creates. This
vulnerability is mitigated by the fact that an attacker must have a role with
the permission "administer mosaik".

Solution: 
Install the latest version:

   * If you use the Mosaik module for Drupal 7, upgrade to Mosaik 7.x-1.2 [3]

Also see the Mosaik [4] project page.

Reported By: 
   * Tatar Balazs Janos [5]

Fixed By: 
   * Tatar Balazs Janos [6]
   * Adriano Cori [7], the module maintainer

Coordinated By: 
   * David Rothstein [8] of the Drupal Security Team


[1] https://www.drupal.org/project/mosaik
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/mosaik/releases/7.x-1.2
[4] https://www.drupal.org/project/mosaik
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/u/tatarbj
[7] https://www.drupal.org/user/805228
[8] https://www.drupal.org/user/124982



More information about the Security-news mailing list