[Security-news] AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039

security-news at drupal.org security-news at drupal.org
Wed Mar 20 16:58:32 UTC 2019


View online: https://www.drupal.org/sa-contrib-2019-039

Project: AddToAny Share Buttons [1]
Date: 2019-March-20
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
This module enables you to add social media share buttons on your website to
its content and pages.

The module doesn't sufficiently mark its administration permission
restricted, allowing cross site scripting vulnerabilities to users who have
access to its admin settings.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer addtoany".

Solution: 
   * If you use the AddToAny Share Buttons module for Drupal 7.x, upgrade to
     AddToAny Share Buttons 7.x-4.16 [3]

Reported By: 
   * Balazs Janos Tatar  [4]

Fixed By: 
   * Balazs Janos Tatar  [5]
   * micropat  [6]

Coordinated By: 
   * Balazs Janos Tatar  [7]


[1] https://www.drupal.org/project/addtoany
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/addtoany/releases/7.x-4.16
[4] https://www.drupal.org/user/649590
[5] https://www.drupal.org/user/649590
[6] https://www.drupal.org/user/260224
[7] https://www.drupal.org/user/649590



More information about the Security-news mailing list