SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting (XSS)

The Trick Question is a CAPTCHA-type spam prevention module; a lightweight, compact and simple alternative to larger and more complex modules.

The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

The vulnerability is mitigated by the fact that an attacker must have the “Administer Trick Question” permission.

CVE identifier(s) issued

• CVE-2015-4369

Versions affected

• Trick Question 6.x-1.x versions prior to 6.x-1.5
• Trick Question 7.x-1.x versions prior to 7.x-1.5

Drupal core is not affected. If you do not use the contributed Trick Question module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Trick Question module for Drupal 6.x, upgrade to Trick Question 6.x-1.5
• If you use the Trick Question module for Drupal 7.x, upgrade to Trick Question 7.x-1.5

Also see the Trick Question project page.

Reported by

• Matt Vance provisional member of the Drupal Security Team

Fixed by

• Martin Joergensen the module maintainer
• Matt Vance provisional member of the Drupal Security Team

Coordinated by

• Matt Vance provisional member of the Drupal Security Team