[Security-news] AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039
security-news at drupal.org
security-news at drupal.org
Wed Mar 20 16:58:32 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-039
Project: AddToAny Share Buttons [1]
Date: 2019-March-20
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
This module enables you to add social media share buttons on your website to
its content and pages.
The module doesn't sufficiently mark its administration permission
restricted, allowing cross site scripting vulnerabilities to users who have
access to its admin settings.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer addtoany".
Solution:
* If you use the AddToAny Share Buttons module for Drupal 7.x, upgrade to
AddToAny Share Buttons 7.x-4.16 [3]
Reported By:
* Balazs Janos Tatar [4]
Fixed By:
* Balazs Janos Tatar [5]
* micropat [6]
Coordinated By:
* Balazs Janos Tatar [7]
[1] https://www.drupal.org/project/addtoany
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/addtoany/releases/7.x-4.16
[4] https://www.drupal.org/user/649590
[5] https://www.drupal.org/user/649590
[6] https://www.drupal.org/user/260224
[7] https://www.drupal.org/user/649590
More information about the Security-news
mailing list