[Security-news] GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024
security-news at drupal.org
security-news at drupal.org
Wed Jun 28 17:50:17 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-024
Project: GridStack [1]
Version: 8.x-2.108.x-2.98.x-2.88.x-2.78.x-2.68.x-2.58.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0
Date: 2023-June-28
Security risk: *Less critical* 7∕25
AC:Complex/A:Admin/CI:None/II:None/E:Exploit/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Description:
This module enables you to create dynamic layouts and add sample color
palettes for color selection hints via its UI.
The module doesn't sufficiently sanitize the module's settings in certain
scenarios leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permissions "administer gridstack".
Solution:
Install the latest version:
* If you use the GridStack module prior to version 8.x-2.11 for Drupal 9.x
or 10.x, upgrade to GridStack 8.x-2.11 [3]
Reported By:
* Mitch Portier [4]
Fixed By:
* Gaus Surahman [5]
* Mitch Portier [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/gridstack
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/gridstack/releases/8.x-2.11
[4] https://www.drupal.org/user/2284182
[5] https://www.drupal.org/user/159062
[6] https://www.drupal.org/user/2284182
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list