[Security-news] Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015
security-news at drupal.org
security-news at drupal.org
Wed Feb 13 19:46:14 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-015
Project: Focal Point [1]
Version: 7.x-1.17.x-1.0
Date: 2019-February-13
Security risk: *Moderately critical* 13∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Description:
This module enables a privileged user to specify the important part of an
image for the purposes of cropping.
The module doesn't sufficiently sanitize certain form element attributes when
the focal point widget is displayed on a form.
This vulnerability is mitigated by the fact that an attacker must have the
ability to generate markup (e.g. with a field that accepts "filtered html")
AND they must have permission to edit a node or entity whose add/edit form
contains the focal point widget.
Solution:
Install the latest version:
* If you use the focal_point module for Drupal 7.x, upgrade to Focal Point
7.x-1.2 [3]
Also see the Focal Point [4] project page.
Reported By:
* poiu [5]
Fixed By:
* Alexander Ross [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/focal_point
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/focal_point/releases/7.x-1.2
[4] https://www.drupal.org/project/focal_point
[5] https://www.drupal.org/user/194009
[6] https://www.drupal.org/user/77375
[7] https://www.drupal.org/user/36762
More information about the Security-news
mailing list