Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2014-019

HistoryFeb 12, 2014 - 12:00 a.m.

SA-CONTRIB-2014-019 - Easy Social - Cross Site Scripting (XSS)

2014-02-1200:00:00

Drupal Security Team

www.drupal.org

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

This module enables you to add social sharing widgets to your content and pages.
The module doesn’t sufficiently validate block titles when a user creates a custom block from within the module’s admin interface.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer easy social”.

CVE identifier(s) issued

CVE-2014-8319

Versions affected

Easy Social 7.x-2.x versions prior to 7.x-2.11.

Drupal core is not affected. If you do not use the contributed Easy Social module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Easy Social module for Drupal 7.x, upgrade to Easy Social 7.x-2.11

Also see the Easy Social project page.

Reported by

James Davis

Fixed by

Alex Weber the module maintainer

Coordinated by

Lee Rowlands of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/easy_social

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/2766355

drupal.org/user/395439

drupal.org/user/850856

drupal.org/writing-secure-code

twitter.com/drupalsecurity

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2014-019