SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - Multiple vulnerabilities

This module provides integration with the Cloudwords third-party service.

The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting (XSS) vulnerability.

Also, a menu callback was not protected against CSRF.

The XSS vulnerability is mitigated by the fact that an attacker must have a user with permissions to create nodes.

CVE identifier(s) issued

• Cross Site Scripting: CVE-2015-3348 * Cross Site Request Forgery:CVE-2015-3347

Versions affected

• Cloudwords for Multilingual Drupal 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Cloudwords for Multilingual Drupal module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Cloudwords for Multilingual Drupal module for Drupal 7.x, upgrade to Cloudwords for Multilingual Drupal 7.x-2.3

Also see the Cloudwords for Multilingual Drupal project page.

Reported by

• Pere Orga provisional member of the Drupal Security Team

Fixed by

• Eric Hildebrand the module maintainer

Coordinated by

• Pere Orga provisional member of the Drupal Security Team