5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
The Maestro module is a workflow engine/solution that facilitates simple and complex business process automation.
The module doesn’t sufficiently filter user-supplied data in its admin screens leading to a Cross Site Scripting (XSS) vulnerability. A Cross Site Request Forgery vulnerability in the control of the module could allow a user to change workflows including injecting malicious scripts to exploit the XSS.
This vulnerability is mitigated by the fact that an attacker must have a role with the maestro admin permissions or use CSRF against a user with that permission.
XSS issue:
CVE: CVE-2012-2723
CSRF Issue:
CVE: CVE-2012-3799
Drupal core is not affected. If you do not use the contributed Maestro module, there is nothing you need to do.
Install the latest version:
Also see the Maestro project page.
drupal.org/contact
drupal.org/node/1617952
drupal.org/project/maestro
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/179805
drupal.org/user/36762
drupal.org/user/66894
drupal.org/user/704970
drupal.org/user/726382
drupal.org/writing-secure-code