Drupal Security TeamDRUPAL-SA-CONTRIB-2012-032SA-CONTRIB-2012-032 - Block Class - Cross Site scripting
2.1 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
CVE: CVE-2012-1657
The block class module allows users to add classes to any block through the block’s configuration interface
The class names in a block were not properly filtered. Someone with the ability to modify or create blocks could inject java script that would be rendered when viewing the block.
Versions affected
- Blockclass versions prior to 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the block class module for Drupal 7.x, upgrade to block class 7.x-1.1
See also the Block Class project page.
Reported by
Fixed by
- Berend de Boer the module maintainer
Coordinated by
- Michael Hess of the Drupal Security Team
Related
2.1 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%