[Security-news] Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020
security-news at drupal.org
security-news at drupal.org
Wed Jun 14 16:18:37 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-020
Project: Office Hours [1]
Version: 8.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0
Date: 2023-June-14
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
This module enables you to define a 'weekly office hours' field type, and add
a field to any Content type, in order to display the weekly opening hours for
a location.
The module doesn't sufficiently filter user-supplied text leading to a Cross
Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker needs additional
permissions. The vulnerability can be exploited by an attacker with a role
with the permission "administer display" regardless of other configurations.
In some scenarios, the vulnerability can be exploited by a user with "Create
content" or "Edit content" for a relevant Content type.
Solution:
Install the latest version:
* If you use the 'Office hours' module for Drupal 8.x, upgrade to
office_hours 8.x-1.11 [3]
Reported By:
* John Voskuilen [4]
* Mitch Portier [5]
Fixed By:
* John Voskuilen [6]
* Mitch Portier [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/office_hours
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/office_hours/releases/8.x-1.11
[4] https://www.drupal.org/user/591042
[5] https://www.drupal.org/user/2284182
[6] https://www.drupal.org/user/591042
[7] https://www.drupal.org/user/2284182
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list