[Security-news] EU Cookie Compliance - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047
security-news at drupal.org
security-news at drupal.org
Wed Jul 11 17:03:24 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-047
Project: EU Cookie Compliance [1]
Date: 2018-July-11
Security risk: *Moderately critical* 12∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Description:
This module addresses the General Data Protection Regulation (GDPR) that came
into effect 25th May 2018, and the EU Directive on Privacy and Electronic
Communications from 2012. It provides a banner where you can gather consent
from the user to store cookies on their computer and handle their personal
information.
This module does not sanitize some inputs leading to XSS. This is mitigated
by the attacker having the permission "Administer EU Cookie Compliance."
Solution:
Install the latest version:
* If you use the eu_cookie_compliance module for Drupal 7.x, upgrade to
eu_cookie_compliance 7.x-1.24 [3]
* If you use the eu_cookie_compliance module for Drupal 8.x, upgrade to
eu_cookie_compliance 8.x-1.1 [4]
Also see the EU Cookie Compliance [5] project page.
Reported By:
* Alexander Hass [6]
Fixed By:
* Sven Berg Ryen [7]
Coordinated By:
* Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/eu_cookie_compliance
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/eu_cookie_compliance/releases/7.x-1.24
[4] https://www.drupal.org/project/eu_cookie_compliance/releases/8.x-1.1
[5] https://www.drupal.org/project/eu-cookie-compliance
[6] https://www.drupal.org/user/85918
[7] https://www.drupal.org/user/667244
[8] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list