SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting (XSS)

This module enables you to add a block to allow visitors to subscribe to a site’s newsletter.

The module failed to sanitize some block content, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer blocks”.

CVE identifier(s) issued

• CVE-2015-4367

Versions affected

• Simple Subscription 6.x-1.x versions prior to 6.x-1.1.
• Simple Subscription 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Simple Subscription module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Simple Subscription module for Drupal 6.x, upgrade to Simple Subscription 6.x-1.1
• If you use the Simple Subscription module in branch 7.x-1.x for Drupal 7.x, upgrade to Simple Subscription 7.x-1.1
• If you use the Simple Subscription module in branch 7.x-2.x for Drupal 7.x, there is nothing to do, this branch is secure

Also see the Simple Subscription project page.

Reported by

• Matt Vance provisional member of the Drupal Security Team

Fixed by

• Matt Vance provisional member of the Drupal Security Team
• SebCorbin the module maintainer

Coordinated by

• Michael Hess of the Drupal Security Team
• Matt Vance provisional member of the Drupal Security Team
• Aaron Ott provisional member of the Drupal Security Team