[Security-news] scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-061

Project: scroll to top [1]
Date: 2019-August-14
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Description: 
The Scroll To Top module enables you to have an animated scroll to top link
in the bottom of the node.

The module does not sufficiently filter configuration text leading to a Cross
Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer scroll to top".

Solution: 
Install the latest version of the module.

   * If you use the Scroll To Top module for Drupal 7.x, upgrade to Scroll To
     Top 7.x-2.2 [3]

Also see the scroll to top [4] project page.

Reported By: 
   * Ayesh Karunaratne  [5]
   * Yonatan Offek [6]

Fixed By: 
   * Ayesh Karunaratne  [7]
   * Tarek Djebali  [8]

Coordinated By: 
   * Michael Hess [9] of the Drupal Security Team
   * Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/scroll_to_top
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/scroll_to_top/releases/7.x-2.2
[4] https://www.drupal.org/project/scroll_to_top
[5] https://www.drupal.org/user/796148
[6] https://www.drupal.org/user/194009
[7] https://www.drupal.org/user/796148
[8] https://www.drupal.org/user/745218
[9] https://www.drupal.org/user/102818
[10] https://www.drupal.org/user/36762