* Advisory ID: DRUPAL-SA-CONTRIB-2017-057
* Project: DrupalChat (third-party module)
* Version: 7.x
* Date: 2017-July-05
* Security risk: 16/25 ( Critical)
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom.
The module did not confirm the validity of a chat request, resulting in a Cross Site Request Forgery (CSRF) vulnerability which enables an attacker to
trick a user to send arbitrary chat messages to any user.
The module did not filter administrator provided text, leading to a Cross Site Scripting (XSS) vulnerability.
* DrupalChat 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed DrupalChat module, there is nothing you need to do.
Install the latest version:
* If you use the DrupalChat module for Drupal 7.x, upgrade to DrupalChat 7.x-2.6