[Security-news] Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054
security-news at drupal.org
security-news at drupal.org
Wed Jun 26 16:29:10 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-054
Project: Advanced Forum [1]
Version: 7.x-2.x-dev
Date: 2019-June-26
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
Advanced Forum builds on and enhances Drupal's core forum module. When used
in combination with other Drupal contributed modules, many of which are
automatically used by Advanced Forum, you can achieve much of what stand
alone software provides.
The module doesn't sufficiently sanitise user input in specific
circumstances. It is not possible to disable the vulnerable functionality.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create forum content.
Solution:
Install the latest version:
* If you use the Advanced Forum module for Drupal 7.x, upgrade to Advanced
Forum 7.x-2.8 [3]
Also see the Advanced Forum [4] project page.
Reported By:
* Drew Webber [5] of the Drupal Security Team
Fixed By:
* Drew Webber [6] of the Drupal Security Team
* Vijaya Chandran Mani [7] Provisonal Member of the Drupal Security Team
Coordinated By:
* Drew Webber [8] of the Drupal Security Team
[1] https://www.drupal.org/project/advanced_forum
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/advanced_forum/releases/7.x-2.8
[4] https://www.drupal.org/project/advanced_forum
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/93488
[8] https://www.drupal.org/user/255969
More information about the Security-news
mailing list