CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%
Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer Profile2 Privacy Levels”.
Drupal core is not affected. If you do not use the contributed Profile2 Privacy module, there is nothing you need to do.
Install the latest version:
Also see the Profile2 Privacy project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/profile2_privacy
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/2210776
www.drupal.org/user/36762
www.drupal.org/user/712186
www.drupal.org/user/88338
www.drupal.org/writing-secure-code