SA-CONTRIB-2012-094 - Maestro module - Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS)

The Maestro module is a workflow engine/solution that facilitates simple and complex business process automation.

The module doesn’t sufficiently filter user-supplied data in its admin screens leading to a Cross Site Scripting (XSS) vulnerability. A Cross Site Request Forgery vulnerability in the control of the module could allow a user to change workflows including injecting malicious scripts to exploit the XSS.

This vulnerability is mitigated by the fact that an attacker must have a role with the maestro admin permissions or use CSRF against a user with that permission.

XSS issue:
CVE: CVE-2012-2723
CSRF Issue:
CVE: CVE-2012-3799

Versions affected

• maestro 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Maestro module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the maestro module for Drupal 7.x, upgrade to Maestro 7.x-1.2

Also see the Maestro project page.

Reported by

• Steve Persch

Fixed by

• Blaine Lang module maintainer
• Randy Kolenko module maintainer
• Greg Knaddison of the Drupal Security Team

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Stella Power of the Drupal Security Team