Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-008

HistoryJan 23, 2013 - 12:00 a.m.

SA-CONTRIB-2013-008 - CurvyCorners - Cross Site Scripting (XSS) - module unsupported

2013-01-2300:00:00

Drupal Security Team

www.drupal.org

CVSS2

2.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

EPSS

0.967

Percentile

99.7%

JSON

The CurvyCorners module enables you to create rounded corners on HTML block elements.

The module doesn’t sufficiently filter user entered text when being displayed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer curvycorners”.

CVE identifier(s) issued

CVE-2013-1393

Versions affected

All CurvyCorners 6.x-1.x versions.
All CurvyCorners 7.x-1.x versions.

Drupal core is not affected. If you do not use the contributed CurvyCorners module, there is nothing you need to do.

Solution

Install the latest version:

If you use the CurvyCorners module, uninstall the module - there is no patch available to fix this issue

Also see the CurvyCorners project page.

Reported by

rickauer

Fixed by

Not applicable.

Coordinated by

Greg Knaddison of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/curvycorners

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/36762

drupal.org/user/69553

drupal.org/writing-secure-code

CVSS2

2.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

EPSS

0.967

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2013-008