SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)

Course module enables you to create e-learning courses with any number of requirements for completion.

The module doesn’t sufficiently filter node title displays when being used in a course.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create course content.

CVE identifier(s) issued

• CVE-2015-3344

Versions affected

• Course 7.x-1.x versions prior to 7.x-1.4
• Course 6.x-1.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Course module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Course module for Drupal 7.x, upgrade to Course 7.x-1.4
• If you use the Course module for Drupal 6.x, upgrade to Course 6.x-1.2

Also see the Course project page.

Reported by

• Pere Orga provisional member of the Drupal Security Team

Fixed by

• Pere Orga provisional member of the Drupal Security Team
• Devin Zuczek the module maintainer

Coordinated by

• Pere Orga provisional member of the Drupal Security Team