CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
EPSS
Percentile
99.7%
This module enables you to manage migration processes through the administrative UI.
The module doesn’t sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create/edit fields (such as “administer taxonomy”), or be able to modify source data being imported by an administrator. Furthermore, the migrate_ui submodule must be enabled.
Drupal core is not affected. If you do not use the contributed Migrate module, there is nothing you need to do.
Install the latest version:
Also see the Migrate project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2516560
www.drupal.org/project/migrate
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/benjifisher
www.drupal.org/u/klausi
www.drupal.org/user/4420
www.drupal.org/writing-secure-code