DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057

* Advisory ID: DRUPAL-SA-CONTRIB-2017-057
* Project: DrupalChat (third-party module)
* Version: 7.x
* Date: 2017-July-05
* Security risk: 16/25 ( Critical)
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery

DESCRIPTION

DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom.

The module did not confirm the validity of a chat request, resulting in a Cross Site Request Forgery (CSRF) vulnerability which enables an attacker to
trick a user to send arbitrary chat messages to any user.

The module did not filter administrator provided text, leading to a Cross Site Scripting (XSS) vulnerability.

VERSIONS AFFECTED

* DrupalChat 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed DrupalChat module, there is nothing you need to do.

SOLUTION

Install the latest version:

* If you use the DrupalChat module for Drupal 7.x, upgrade to DrupalChat 7.x-2.6

Add new comment