Drupal Security TeamDRUPAL-SA-CONTRIB-2015-045SA-CONTRIB-2015-045 - Node Access Product - Cross Site Scripting (XSS) - Unsupported
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
The Node Access Product module provides ‘Node access’ settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views.
The module doesn’t sufficiently sanitize node titles leading to the possibility of cross-site scripting by an attacker.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit content.
CVE identifier(s) issued
- CVE-2015-3386
Versions affected
- All versions of Node Access Product
Drupal core is not affected. If you do not use the contributed Node Access Product module, there is nothing you need to do.
Solution
If you use the Node Access Product module you should uninstall it.
Also see the Node access product project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
- Not applicable.
Coordinated by
- Rick Manelius of the Drupal Security Team
- Aaron Ott provisional member of the Drupal Security Team
References
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%