[Security-news] View Password - Less critical - Cross Site Scripting - SA-CONTRIB-2024-026
security-news at drupal.org
security-news at drupal.org
Wed Jul 31 16:16:19 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-026
Project: View Password [1]
Date: 2024-July-31
Security risk: *Less critical* 8∕25
AC:Basic/A:Admin/CI:None/II:None/E:Exploit/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Affected versions: <6.0.4
Description:
The View Password module enables you to add a help icon button next to the
password input field to toggle the password visibility. The administrative
user is allowed to add classes to this icon for styling purposes.
The module doesn't validate the content of classes. A malicious user with
access to the View Password Settings Form could add malicious code in the
classes field.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer view password".
Solution:
Install the latest version:
* If you use the View Password module upgrade to View Password 6.0.4 [3].
Reported By:
* Ide Braakman [4]
Fixed By:
* Ana Colautti [5]
* Ide Braakman [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Juraj Nemec [8] of the Drupal Security Team
[1] https://www.drupal.org/project/view_password
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/view_password/releases/6.0.4
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/2925043
[6] https://www.drupal.org/user/1879760
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/272316
More information about the Security-news
mailing list