6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
This module provides integration with the Cloudwords third-party service.
The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting (XSS) vulnerability.
Also, a menu callback was not protected against CSRF.
The XSS vulnerability is mitigated by the fact that an attacker must have a user with permissions to create nodes.
Drupal core is not affected. If you do not use the contributed Cloudwords for Multilingual Drupal module, there is nothing you need to do.
Install the latest version:
Also see the Cloudwords for Multilingual Drupal project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2402643
www.drupal.org/project/cloudwords
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/1751082
www.drupal.org/user/2301194
www.drupal.org/writing-secure-code