4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
The Project Issue File Review (PIFR) module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development.
Two scenarios were identified where the module does not sufficiently sanitize user provided input, exposing the ‘server’ component of the module to cross-site scripting vulnerabilities.
The first scenario is mitigated by the fact that an attacker must have a role with the ‘manage PIFR environments’ administrative permission.
The second scenario is mitigated by the fact that an attacker must be able to initiate testing of a patch specially crafted to exploit the vulnerability on the PIFR testing environment, have the testing execute successfully on a PIFR client, and have the client provide the testing results back to the PIFR server component.
As one common purpose of this module is to provide validation and testing of user-supplied patches, users of the PIFR module should always consider the ‘PIFR client’ component of this module as insecure and untrusted, by design. The ‘PIFR client’ component should always be maintained in a separate network environment, isolated from the ‘PIFR server’ component or other critical infrastructure.
There have been no known exploits of this vulnerability observed or reported on any servers running the PIFR module, including those within Drupal.org’s automated testing environment.
Drupal core is not affected. If you do not use the contributed Project Issue File Review module, there is nothing you need to do.
Install the latest version:
Also see the Project Issue File Review project page.
drupal.org/contact
drupal.org/project/project_issue_file_review
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/102818
drupal.org/user/148199
drupal.org/user/3064
drupal.org/user/99777
drupal.org/writing-secure-code
twitter.com/drupalsecurity