Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154

This module enables you to create notes on a page inside a block.

The module doesn’t sufficiently sanitize the note text on the admin listing page.

This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote.

CVE identifier(s) issued

• CVE-2015-7879

Versions affected

• Stickynote 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed stickynote module, there is nothing you need to do.

Solution

Install the latest version.

• If you use the Stickynote module for Drupal 7.x, upgrade to Stickynote 7.x-1.3

Also see the stickynote project page.

Reported by

• Jon Peck

Fixed by

• Luke Herrington the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team