[Security-news] Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019
security-news at drupal.org
security-news at drupal.org
Wed Apr 18 18:54:52 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-019
Project: Display Suite [1]
Version: 7.x-2.147.x-1.9
Date: 2018-April-18
Security risk: *Critical* 17∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting (XSS)
Description:
Display Suite allows you to take full control over how your content is
displayed using a drag and drop interface.
The module doesn't sufficiently validate view modes provided dynamically via
URLs leading to a reflected cross site scripting (XSS) attack.
This vulnerability is mitigated only by the fact that most modern browsers
protect against reflected XSS via the url.
Solution:
* If you use the Display Suite module for Drupal 7.x-1.x, upgrade to
Display
Suite 7.x-1.10 [3]
* If you use the Display Suite module for Drupal 7.x-2.x, upgrade to
Display
Suite 7.x-2.15 [4]
Reported By:
* Liz Pringi [5]
Fixed By:
* Kristof De Jaeger [6] the module maintainer
Coordinated By:
* Rick Manelius [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/ds
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ds/releases/7.x-1.10
[4] https://www.drupal.org/project/ds/releases/7.x-2.15
[5] https://www.drupal.org/u/epringi
[6] https://www.drupal.org/u/swentel
[7] https://www.drupal.org/u/rickmanelius
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list