SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

This project allows you to create various types of tournaments (as nodes) and associated teams, tournaments, and matches.

There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user.

It is possible to create nodes or entities containing XSS or usernames could be imported with XSS in the strings or created via an add-on module like LDAP or similar.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions “Create new teams” or “Tournament: Create new content” or “Match: Create new content” or the ability to create users with an XSS payload in the usernames (Drupal core’s input validation prevents XSS payloads in usernames).

CVE identifier(s) issued

• CVE-2014-9738

Versions affected

• Tournament 7.x-1.x any version

Drupal core is not affected. If you do not use the contributed Tournament module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Tournament module for Drupal 7.x, upgrade to Tournament 7.x-1.2

Also see the Tournament project page.

Reported by

• Matt V.

Fixed by

• Joe Fender the module maintainer
• Matt Vance provisional member of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Coordinated by

• Greg Knaddison of the Drupal Security Team