[Security-news] The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038

security-news at drupal.org security-news at drupal.org
Wed Sep 22 18:06:49 UTC 2021


View online: https://www.drupal.org/sa-contrib-2021-038

Project: The Better Mega Menu [1]
Date: 2021-September-22
Security risk: *Moderately critical* 12∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting, Information Disclosure, Multiple
vulnerabilities

Description: 
This module provides an admin interface for creating drop down menus that
combine Drupal menu items with rich media content.

The module does not sanitize values for CSS properties that are added by
admins and rendered on the front-end, allowing attackers to inject malicious
code into the front-end markup.

This vulnerability is mitigated by the fact that it can only be exploited by
an attacker with permissions to administer TB Mega Menu, or a sophisticated
anonymous user using a site-specific attack that exploits the Cross Site
Request Forgery vulnerability that is fixed by this same release.

Solution: 
Install the latest version:

   * If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu
     8.x-1.4 [3]

Reported By: 
   * Patrick Fey [4]

Fixed By: 
   * Patrick Fey [5]
   * knaffles [6]

Coordinated By: 
   * Damien McKenna [7] of the Drupal Security Team
   * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/tb_megamenu
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tb_megamenu/releases/8.x-1.4
[4] https://www.drupal.org/user/998680
[5] https://www.drupal.org/user/998680
[6] https://www.drupal.org/user/1140512
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/greggles



More information about the Security-news mailing list