Lucene search

Drupal Security TeamSA-CONTRIB-2012-110

HistoryJul 11, 2012 - 12:00 a.m.

SA-CONTRIB-2012-110 - Colorbox Node - Cross Site Scripting (XSS)

2012-07-1100:00:00

Drupal Security Team

www.drupal.org

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

Colorbox Node gives the user the ability to display ANY page inside a colorbox modal without the header and footer. The module accepts some settings from URL parameters and didn’t sufficiently validate them before printing them to the browser, allowing malicious users to inject script code into the page.

CVE: CVE-2012-4474

Versions affected

Colorbox Node 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Colorbox Node module, there is nothing you need to do.

Solution

Install the latest version:

Upgrade to Colorbox Node 7.x-2.2

Also see the Colorbox Node project page.

Reported by

Gerhard Killesreiter of the Drupal Security Team

Fixed by

Dennis Blake the module maintainer

Coordinated by

Gerhard Killesreiter of the Drupal Security Team

References

drupal.org/contact

drupal.org/node/1679410

drupal.org/project/colorbox_node

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/227

drupal.org/user/384543

drupal.org/user/83

drupal.org/writing-secure-code

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

Related for SA-CONTRIB-2012-110