3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
The Node Access Product module provides ‘Node access’ settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views.
The module doesn’t sufficiently sanitize node titles leading to the possibility of cross-site scripting by an attacker.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit content.
Drupal core is not affected. If you do not use the contributed Node Access Product module, there is nothing you need to do.
If you use the Node Access Product module you should uninstall it.
Also see the Node access product project page.