[Security-news] Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080
security-news at drupal.org
security-news at drupal.org
Wed Oct 25 16:42:52 UTC 2017
View online: https://www.drupal.org/sa-contrib-2017-080
Project: Mosaik [1]
Version: 7.x-1.x-dev
Date: 2017-October-25
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting
Description:
The Mosaik module enables you to create pages or complex blocks in Drupal
with the logic of a real mosaic and its pieces.
The module doesn't sufficiently sanitize the titles of fieldsets on its
administration pages or the titles of blocks that it creates. This
vulnerability is mitigated by the fact that an attacker must have a role with
the permission "administer mosaik".
Solution:
Install the latest version:
* If you use the Mosaik module for Drupal 7, upgrade to Mosaik 7.x-1.2 [3]
Also see the Mosaik [4] project page.
Reported By:
* Tatar Balazs Janos [5]
Fixed By:
* Tatar Balazs Janos [6]
* Adriano Cori [7], the module maintainer
Coordinated By:
* David Rothstein [8] of the Drupal Security Team
[1] https://www.drupal.org/project/mosaik
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/mosaik/releases/7.x-1.2
[4] https://www.drupal.org/project/mosaik
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/u/tatarbj
[7] https://www.drupal.org/user/805228
[8] https://www.drupal.org/user/124982
More information about the Security-news
mailing list