Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-013

HistoryJan 30, 2013 - 12:00 a.m.

SA-CONTRIB-2013-013 - Boxes - Cross site scripting (XSS)

2013-01-3000:00:00

Drupal Security Team

www.drupal.org

2.1 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

The subject field for the included simple box doesn’t escape HTML properly.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer/edit boxes.

Wikipedia has more information about cross site scripting (XSS).

CVE identifier(s) issued

CVE-2013-0259

Versions affected

Boxes 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Boxes module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Boxes module for Drupal 7.x, upgrade to Boxes 7.x-1.1

Also see the Boxes project page.

Reported by

Laura Dickinson

Fixed by

Tirdad Chaharlengi the module maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/boxes

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/337318

drupal.org/user/36762

drupal.org/user/383630

drupal.org/writing-secure-code

en.wikipedia.org/wiki/Xss

2.1 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2013-013