H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

* Advisory ID: DRUPAL-SA-CONTRIB-2017-071
* Project: H5P- Create and Share Rich Content and Applications (third-party module)
* Version: 7.x
* Date: 2017-August-30
* Security risk: 18/25 ( Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

The H5P module helps create interactive videos, question sets, drag and drop
questions, multichoice questions, boardgames, presentations, flashcards and
more using Drupal.

The module does not sufficiently filter text prior to printing it back to the
page, leading to a Reflected Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that many modern browsers contain
protection against some kinds of Reflected XSS vulnerabilities.

VERSIONS AFFECTED

H5P 7.x-1.x versions prior to 7.x-1.32.

Drupal core is not affected. If you do not use the contributed H5P- Create
and Share Rich Content and Applications module, there is nothing you need
to do.

SOLUTION

Install the latest version:

If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.32 [5]

Also see the H5P- Create and Share Rich Content and Applications project page: https://www.drupal.org/project/h5p

Add new comment