Drupal Security TeamDRUPAL-SA-CONTRIB-2012-027SA-CONTRIB-2012-027 - Submenu Tree -Cross Site Scripting
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
CVE: CVE-2012-1651
The Submenu Tree module allows sufficiently privileged users to show a
list of menu entries when displaying a node.
The module does not sanitize some of the user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS)
vulnerability.
The vulnerability is mitigated by the fact that a malicious user must
be assigned a role that includes permissions to edit the Drupal menus.
Versions affected
- Submenu Tree versions prior to 6.x-1.5
Drupal core is not affected. If you do not use the contributed Submenu Tree module,
there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Submenu Tree module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Submenu Tree module upgrade to Submenu Tree 6.x-1.5
Please also see the Submenu Tree project
page.
See also the Submenu Tree project page.
Reported by
Fixed by
- Beng Tan, module maintainer
Coordinated by
- Michael Hess of the Drupal Security Team
References
drupal.org/contact
drupal.org/node/1132838
drupal.org/project/submenutree
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/102818
drupal.org/user/132729
drupal.org/writing-secure-code
en.wikipedia.org/wiki/Cross-site_scripting
drupal.org/user/832278
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%