Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

Project: Automated Logout
Version: 7.x-4.x-dev
Date: 2017-November-01
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module provides a site administrator the ability to log users out after
a specified time of inactivity. It is highly customizable and includes "site
policies" by role to enforce log out.

The module does not sufficiently filter user-supplied text that is stored in
the configuration, resulting in a persistent Cross Site Scripting
vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer autologout".

Solution

 

Install the latest version:

* If you use the Automated Logout module for Drupal 7, upgrade to Automated Logout 7.x-4.5

Add new comment