Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

Project: Select (or other)
Date: 2018-July-25
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module enables users to select 'other' on certain form elements and a
textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the
scenario when "Select or other" formatter is used.

This vulnerability is mitigated by the fact that an attacker must have access
to edit a field that is displayed through the "Select or other" formatter.

Solution

* If you use the "Select or other" 7.x-2.x, upgrade to Select or other 7.x-2.24
* If you use the "Select or other" 7.x-3.x, upgrade to Select or other 7.x-3.0-alpha3

Also see the Select (or other) project page.

Add new comment