Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2015-105

HistoryMay 06, 2015 - 12:00 a.m.

Video Consultation - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-105

2015-05-0600:00:00

Drupal Security Team

www.drupal.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.967

Percentile

99.7%

JSON

Video Consultation module integrates VideoWhisper Video Consultation software with Drupal.

The module doesn’t sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability.

CVE identifier(s) issued

CVE-2015-5492

Versions affected

All versions of Video Consultation module.

Drupal core is not affected. If you do not use the contributed Video Consultation module, there is nothing you need to do.

Solution

If you use the Video Consultation module you should uninstall it.

Also see the Video Consultation project page.

Reported by

Michael Hess of the Drupal Security Team

Fixed by

Not applicable.

Coordinated by

Pere Orga of the Drupal Security Team

References

twitter.com/drupalsecurity

www.drupal.org/contact

www.drupal.org/project/vconsult

www.drupal.org/security-team

www.drupal.org/security-team/risk-levels

www.drupal.org/security/secure-configuration

www.drupal.org/user/102818

www.drupal.org/user/2301194

www.drupal.org/writing-secure-code

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.967

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2015-105