Drupal Security TeamDRUPAL-SA-CONTRIB-2014-033SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
44.7%
Nivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system.
The module doesn’t sufficiently sanitize the title of images in the slider.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer nivo slider”.
CVE identifier(s) issued
- CVE-2014-8744
Versions affected
- Nivo Slider 7.x-2.x versions prior to 7.x-1.11.
Drupal core is not affected. If you do not use the contributed Nivo Slider module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Nivo Slider module for Drupal 7.x, upgrade to Nivo Slider 7.x.1.11
Also see the Nivo Slider project page.
Reported by
Fixed by
Coordinated by
- Domenic Santangelo provisional member of the Drupal Security Team
- Ben Jeavons of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
References
drupal.org/contact
drupal.org/project/nivo_slider
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/2766355
drupal.org/user/91990
drupal.org/writing-secure-code
drupal.org/node/2220545
drupal.org/user/173461
drupal.org/user/290182
drupal.org/user/395439
twitter.com/drupalsecurity
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
44.7%