[Security-news] Workflow - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-049
security-news at drupal.org
security-news at drupal.org
Wed May 22 16:52:53 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-049
Project: Workflow [1]
Date: 2019-May-22
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
The Workflow module enables you to create arbitrary Workflows, and assign
them to Entities.
The module doesn't sufficiently escape HTML in the field settings leading to
a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer nodes" and "administer workflow".
Solution:
Install the latest version:
* If you use the Workflow module for Drupal 7.x, upgrade to Workflow
7.x-2.12 [3]
Reported By:
* Roberto Mariani [4]
Fixed By:
* Roberto Mariani [5]
* David Snopek [6] of the Drupal Security Team
* John Voskuilen [7]
* Sarah Hood [8]
* Greg Knaddison [9] of the Drupal Security Team
Coordinated By:
* Michael Hess [10] of the Drupal Security Team
[1] https://www.drupal.org/project/workflow
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/workflow/releases/7.x-2.12
[4] https://www.drupal.org/user/1135096
[5] https://www.drupal.org/user/1135096
[6] https://www.drupal.org/user/266527
[7] https://www.drupal.org/user/591042
[8] https://www.drupal.org/user/275249
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list