[Security-news] Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012
security-news at drupal.org
security-news at drupal.org
Wed Jun 2 17:43:27 UTC 2021
View online: https://www.drupal.org/sa-contrib-2021-012
Project: Frequently Asked Questions [1]
Date: 2021-June-02
Security risk: *Moderately critical* 11∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
The Frequently Asked Questions (faq) module allows users, with appropriate
permissions, to create question and answer pairs which they want displayed on
the 'faq' page. The 'faq' page is automatically generated from the FAQ nodes
configured. Basic Views layouts are also provided and can be customised via
the Views UI (rather than via the module settings page).
The module doesn't sufficiently sanitize editor input leading to a Cross Site
Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the "create faq content" permission.
Solution:
Install the latest version:
* If you use the Frequently Asked Questions module for Drupal 7.x, upgrade
to Frequently Asked Questions 7.x-1.3 [3]
Reported By:
* Mitch Portier [4]
Fixed By:
* Mitch Portier [5]
* Mohammed Razem [6]
* Vijay Mani [7] Provisional Member of the Drupal Security Team
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/faq
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/faq/releases/7.x-1.3
[4] https://www.drupal.org/user/2284182
[5] https://www.drupal.org/user/2284182
[6] https://www.drupal.org/user/255384
[7] https://www.drupal.org/user/93488
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list