SA-CONTRIB-2014-080 - Social Stats - Cross Site Scripting (XSS)

The Social Stats module enables you to collect statistics from various social networks and use that data with the Views module as field data, sort criteria, or filter criteria.

The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “[Content Type]: Create new content”.

CVE identifier(s) issued

• CVE-2014-5456

Versions affected

• Social Stats 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Social Stats module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Social Stats module for Drupal 7.x, upgrade to 7.x-1.5

Also see the Social Stats project page.

Reported by

• Matt Vance

Fixed by

• Ajit Shinde the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team
• David Stoline of the Drupal Security Team