Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-043

HistoryApr 17, 2013 - 12:00 a.m.

SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)

2013-04-1700:00:00

Drupal Security Team

www.drupal.org

2.1 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

39.0%

JSON

This module enables you to easily enable a Flash MP3 Player on a CCK FileField.
The module doesn’t sufficiently filter user-supplied text from mp3 filenames.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield with the MP3 player set as the display widget.

CVE identifier(s) issued

CVE-2013-1971

Versions affected

All MP3 Player versions.

Drupal core is not affected. If you do not use the contributed MP3 Player module, there is nothing you need to do.

Solution

Disable the module:

If you use the MP3 Player module for Drupal 6.x you should disable the module.

Also see the MP3 Player project page.

Reported by

Kyle Small

Fixed by

Not applicable.

Coordinated by

Greg Knaddison of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/mp3player

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/36762

drupal.org/user/832278

drupal.org/writing-secure-code

2.1 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

39.0%

JSON

Related for DRUPAL-SA-CONTRIB-2013-043