MailChimp - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

The MailChimp module allows you to create and manage mailing lists via MailChimp’s API.

The MailChimp Signup submodule does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the “administer mailchimp” permission and the “MailChimp Signup” submodule must be enabled.

CVE identifier(s) issued

• CVE-2015-5488

Versions affected

• MailChimp 7.x-3.x versions prior to 7.x-3.3. (Mailchimp 7.x-2.x versions are not affected)

Drupal core is not affected. If you do not use the contributed MailChimp module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the MailChimp module for Drupal 7.x, upgrade to MailChimp 7.x-3.3

Also see the MailChimp project page.

Reported by

• Klaus Purer of the Drupal Security Team
• Ide Braakman

Fixed by

• Cooper Stimson the module maintainer
• Dan Ruscoe the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team