Drupal Security TeamDRUPAL-SA-CONTRIB-2012-018SA-CONTRIB-2012-018 - Revisioning - Cross Site Scripting
2.1 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
43.8%
CVE: CVE-2012-1060
The Drupal Revisioning module (<https://drupal.org/project/revisioning>) “is a module for the configuration of workflows to create, moderate and publish content revisions.”
The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display.
Users with the ability to create content and tags that are submitted to a review queue could include malicious JavaScript or HTML as part of their tags. Users reviewing the queue would then become victims of the XSS attack.
The risk is mitigated by the fact that the attacker must have the ability to create taxonomy terms (either “administer taxonomy” or via a freetagging vocabulary).
Versions affected
- Revisioning 6.x-3.13 and prior.
Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.
Solution
Install the latest version:
- Upgrade to Revisioning 6.x-3.14
See also the Revisioning project page.
Reported by
Fixed by
- Justin C. Klein Keane
- Rik de Boer, the module maintainer
Coordinated by
- Dylan Tack of the Drupal Security Team
References
Related
2.1 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
43.8%