[Security-news] Back To Top - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-040
security-news at drupal.org
security-news at drupal.org
Wed Mar 20 16:59:26 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-040
Project: Back To Top [1]
Date: 2019-March-20
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
This module enables you to add a button that hovers in the bottom of your
screen and allows users to smoothly scroll up the page using jQuery.
The module doesn't sufficiently sanitize the code that gets printed on pages
leading to a Cross Site Scripting (XSS) issue.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "access backtotop settings".
Solution:
Install the latest version:
* If you use the Back To Top module for Drupal 7.x, upgrade to Back To Top
7.x-1.6 [3]
Reported By:
* Balazs Janos Tatar [4]
Fixed By:
* Mattias Axelsson [5]
* Balazs Janos Tatar [6]
Coordinated By:
* Balazs Janos Tatar [7]
[1] https://www.drupal.org/project/back_to_top
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/back_to_top/releases/7.x-1.6
[4] https://www.drupal.org/user/649590
[5] https://www.drupal.org/user/765764
[6] https://www.drupal.org/user/649590
[7] https://www.drupal.org/user/649590
More information about the Security-news
mailing list