[Security-news] Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057
security-news at drupal.org
security-news at drupal.org
Wed Jul 17 16:35:26 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-057
Project: Meta tags quick [1]
Date: 2019-July-17
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
Metatags quick is a module that manages meta tags (tags that appear in HTML's
head section) as Drupal 7 fields.
Administration page of metatags quick does not sanitize the output of blocks
that appear on the same page. This allows an attacker to inject malicious
JavaScript in block markup.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer blocks".
Solution:
Install the latest version.
If you use the Metatags quick module for Drupal 7.x, upgrade to metatags
quick 7.x-2.10. [3]
Reported By:
* Yonatan Offek [4]
Fixed By:
* Valery Lourie [5]
* Yonatan Offek [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/metatags_quick
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/metatags_quick/releases/7.x-2.10
[4] https://www.drupal.org/user/194009
[5] https://www.drupal.org/user/239562
[6] https://www.drupal.org/user/194009
[7] https://www.drupal.org/user/36762
More information about the Security-news
mailing list