Drupal Security TeamDRUPAL-SA-CONTRIB-2015-143Zendesk Feedback Tab - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-143
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
EPSS
Percentile
41.4%
This module enables you to easily integrate the Zendesk Support Tab on your Drupal website.
The module allows Javascript code to be embedded via its administration interface, allowing for the potential of cross-site scripting attacks. The module did not properly indicate that site administrators should restrict access to that permission to only trusted users.
This vulnerability is mitigated by the fact that an attacker must have a role with the Configure Zendesk Feedback Tab permission.
CVE identifier(s) issued
- CVE-2015-6921
Versions affected
- Zendesk Feedback Tab 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Zendesk Feedback Tab module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the zendesk_feedbacktab module for Drupal 7.x, upgrade to Zendesk Feedback Tab 7.x-1.1
Also see the Zendesk Feedback Tab project page.
Reported by
- Greg Knaddison of the Drupal Security Team
Fixed by
- Blaine Lang the module maintainer
- Greg Knaddison of the Drupal Security Team
Coordinated by
- Greg Knaddison of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2561887
www.drupal.org/project/zendesk_feedbacktab
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/blainelang
www.drupal.org/u/greggles
www.drupal.org/writing-secure-code
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
EPSS
Percentile
41.4%