CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
EPSS
Percentile
37.1%
Meta tags quick adds meta tags editing to all non-administrative pages of Drupal site.
When editing a path-based meta tag, module does not check destination parameter of the URL, allowing attacker to pass arbitrary URL to meta tag editing form.
It is possible to inject arbitrary Javascript via the module’s Path-based Metatags edit form that executes when a user attempts to delete a Path-based Metatag.
Both vulnerabilities are mitigated by the fact that an attacker must have a role with the permission “Edit path based meta tags”.
Drupal core is not affected. If you do not use the contributed Meta tags quick module, there is nothing you need to do.
If you use the Meta tags quick 7.x-2.x for Drupal 7, upgrade to Meta tags quick 7.x-2.8
Also see the Meta tags quick project page.
drupal.org/contact
drupal.org/project/metatags_quick
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/writing-secure-code
twitter.com/drupalsecurity
www.drupal.org/node/2295975
www.drupal.org/u/valthebald
www.drupal.org/user/2858707
www.drupal.org/user/36762