Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2014-008

HistoryJan 29, 2014 - 12:00 a.m.

SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS)

2014-01-2900:00:00

Drupal Security Team

www.drupal.org

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

46.6%

JSON

A tribune is a type of chatroom.

The module doesn’t sufficiently filter user provided text from Tribune node titles.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node.

CVE identifier(s) issued

CVE-2014-8075

Versions affected

Tribune 6.x-1.x versions.
Tribune 7.x-3.x versions.

Drupal core is not affected. If you do not use the contributed Tribune module, there is nothing you need to do.

Solution

Remove the module or otherwise mitigate the issue.

Also see the Tribune project page.

Reported by

Raynald Mirville

Fixed by

Not applicable.

Coordinated by

Laurence Liss provisional member of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/tribune

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/2737379

drupal.org/user/724750

drupal.org/writing-secure-code

twitter.com/drupalsecurity

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

46.6%

JSON

Related for DRUPAL-SA-CONTRIB-2014-008