Drupal

RedHen CRM – Moderately Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2016-002

Leave a comment

Description

The Redhen set of modules allows you to build a CRM features in a Drupal site.

When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, these modules do not properly filter certain data before display.

This vulnerability is mitigated by the fact that an attacker must have an authenticated user account with access to edit a contact, administer engagement scores, or administer taxonomies.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Redhen 7.x-1.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed RedHen CRM module, there is nothing you need to do.

Solution

Install the latest version:

Workaround (if you are unable to update the module immediately):

  • In the display settings for your Redhen Contact Types (admin/structure/redhen/contact_types), hide “name” on all display modes.
  • Restrict access to “Administer Engagement Scores” and “Administer Taxonomies” to trusted users.

Also see the RedHen CRM project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x

Leave a Reply