[Security-news] Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

security-news at drupal.org security-news at drupal.org
Wed Sep 20 19:13:32 UTC 2017


View online: https://www.drupal.org/node/2910308

   * Advisory ID: DRUPAL-SA-CONTRIB-2017-076
   * Project: Skype Status [1]     (third-party module)
   * Version: 7.x
   * Date: 2017-September-20
   * Security risk: 14/25 ( Moderately Critical)
     AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
   * Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to obtain the status for a user's Skype account

The module doesn't sufficiently sanitize the user input for their Skype ID.

This vulnerability is mitigated by the fact that an attacker must have an
account on the site and be allowed to edit/input their Skype ID.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Skype Status (skype_status) 7.x-2.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Skype Status
[4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Skype Status (skype_status) module for Drupal 7.x, upgrade
     to Skype Status (skype_status) 7.x-1.2 [5].

Also see the Skype Status [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Tatár Balázs János (tatarbj) [7].

-------- FIXED BY
------------------------------------------------------------

   * Tatár Balázs János (tatarbj) [8] provided patch.
   * Nicholas Alipaz (nicholasalipaz) [9] the module maintainer.

-------- COORDINATED BY
------------------------------------------------------

   * Michael Hess [10] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].

Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and  securing your site [14].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]


[1] https://www.drupal.org/project/skype_status
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/skype_status
[5] https://www.drupal.org/project/skype_status/releases/7.x-1.2
[6] https://www.drupal.org/project/skype_status
[7] https://www.drupal.org/user/649590
[8] https://www.drupal.org/user/649590
[9] https://www.drupal.org/u/nicholasalipaz
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity



More information about the Security-news mailing list