6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
The Wishlist module enables authorized users to create wishlist nodes which describe items they would like for a special occasion. Also, it allows users to indicate their intention to purchase items for other users.
The module fails to sanitize user input in log messages, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access wishlists”, and that only sites with dblog module enabled are affected (dblog module is enabled by default).
Also, the paths to manage wishlist purchase intentions do not confirm the intent of a user. A malicious user could cause another user to delete wishlist purchase intentions by getting their browser to make a request to a specially-crafted URL, a Cross-Site Request Forgery (CSRF).
Drupal core is not affected. If you do not use the contributed Wishlist Module module,
there is nothing you need to do.
Install the latest version:
Also see the Wishlist Module project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2406803
www.drupal.org/node/2406811
www.drupal.org/project/wishlist
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/2301194
www.drupal.org/user/795122
www.drupal.org/writing-secure-code