[Security-news] E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080
security-news at drupal.org
security-news at drupal.org
Wed Dec 19 18:23:33 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-080
Project: E-Sign [1]
Version: 7.x-1.9
Date: 2018-December-19
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Description:
This module allows for integration of Signature Pad, an electronic-signing
script, into Drupal for both nodes (content), the Field API (FAPI), and
Webforms.
The module doesn't sufficiently filter user input when displaying a
signature.
The vulnerability is mitigated by the fact that an attacker must have the
ability to submit a signature. That permission might be associated with
submitting a webform or creating or editing a node depending on site
configuration.
Solution:
Install the latest version:
* If you use the Esign module for Drupal 7.x, upgrade to Esign 7.x-1.10 [3]
Also see the E-Sign [4] project page.
Reported By:
* Mitch Portier [5]
Fixed By:
* Adam Weiss [6]
* Mitch Portier [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/esign
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/esign/releases/7.x-1.10
[4] https://www.drupal.org/project/esign
[5] https://www.drupal.org/user/2284182
[6] https://www.drupal.org/user/1199320
[7] https://www.drupal.org/user/2284182
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list