Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-082

HistoryOct 23, 2013 - 12:00 a.m.

SA-CONTRIB-2013-082 - Bean - Cross Site Scripting (XSS)

2013-10-2300:00:00

Drupal Security Team

www.drupal.org

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

57.0%

JSON

This module enables you to create block entities a.k.a. beans.

The module did not sufficiently filter bean titles for dangerous html.

This vulnerability is mitigated by the fact that an attacker must have permission to create or edit beans.

CVE identifier(s) issued

CVE-2013-4499

Versions affected

Bean 7.x-1.x versions prior to 7.x-1.5

Drupal core is not affected. If you do not use the contributed Bean module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Bean module for Drupal 7.x, upgrade to Bean 7.x-1.5

Also see the Bean project page.

Reported by

Francesco Quagliati

Fixed by

Francesco Quagliati
Damien McKenna the module maintainer

Coordinated by

Hunter Fox of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/bean

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/1977720

drupal.org/user/426416

drupal.org/writing-secure-code

drupal.org/user/108450

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

57.0%

JSON

Related for DRUPAL-SA-CONTRIB-2013-082