Bootstrap Carousel - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-088

Project: bootstrap_carousel
Version: 7.x-1.x-dev
Date: 2017-November-29
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module provides a way to make carousels, based on bootstrap-carousel.js. The module doesn't sufficiently handle output of img HTML tag's alt property.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Carousel: Create new content" or any similar node module permissions for creating/editing/removing the module-delivered content type.

Solution

Install the latest version:

If you use the bootstrap_carousel module for Drupal 7, upgrade to bootstrap_carousel 7.x-1.2

Add new comment