[Security-news] Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015

security-news at drupal.org security-news at drupal.org
Wed Feb 13 19:46:14 UTC 2019


View online: https://www.drupal.org/sa-contrib-2019-015

Project: Focal Point [1]
Version: 7.x-1.17.x-1.0
Date: 2019-February-13
Security risk: *Moderately critical* 13∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Description: 
This module enables a privileged user to specify the important part of an
image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when
the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the
ability to generate markup (e.g. with a field that accepts "filtered html")
AND they must have permission to edit a node or entity whose add/edit form
contains the focal point widget.

Solution: 
Install the latest version:

   * If you use the focal_point module for Drupal 7.x, upgrade to Focal Point
     7.x-1.2 [3]

Also see the Focal Point [4] project page.

Reported By: 
   * poiu  [5]

Fixed By: 
   * Alexander Ross  [6]

Coordinated By: 
   * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/focal_point
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/focal_point/releases/7.x-1.2
[4] https://www.drupal.org/project/focal_point
[5] https://www.drupal.org/user/194009
[6] https://www.drupal.org/user/77375
[7] https://www.drupal.org/user/36762



More information about the Security-news mailing list