[Security-news] Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059
security-news at drupal.org
security-news at drupal.org
Wed Sep 5 17:29:11 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-059
Project: Fraction [1]
Date: 2018-September-05
Security risk: *Less critical* 5∕25 6/25 ( Less Critical)
AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: XSS vulnerability
Description:
This module enables you to create fields for storing decimal values as two
integers (numerator and denominator) for maximum precision.
The module doesn't sufficiently filter XSS strings out of field labels.
This vulnerability is mitigated by the fact that an attacker must have a role
with the ability to manage field configuration.
Solution:
Install the latest version:
* If you use the Fraction module for Drupal 7.x, upgrade to Fraction
7.x-1.7
[3].
* If you use the Fraction module for Drupal 8.x, upgrade to Fraction
8.x-1.2
[4].
Also see the Fraction project page [5].
Reported By:
* bucefal91 [6]
Fixed By:
* bucefal91 [7]
* Michael Stenta [8], the module maintainer.
Coordinated By:
* Michael Hess [9] of the security team.
[1] https://www.drupal.org/project/fraction
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/fraction/releases/7.x-1.7
[4] https://www.drupal.org/project/fraction/releases/8.x-1.2
[5] https://www.drupal.org/project/fraction
[6] https://www.drupal.org/user/504128
[7] https://www.drupal.org/user/504128
[8] https://www.drupal.org/user/581414
[9] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list