- Advisory ID: DRUPAL-SA-CONTRIB-2016-012
- Project: Hubspot CTA (third-party module)
- Version: 7.x
- Date: 2016-March-02
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
This module enables you to embed a Hubspot CTA buttons widget in a Bean block.
The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn’t sufficiently sanitise these parameters, allowing a potential cross-site scripting attack.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions “administer beans” or “Hubspot Calls-to-action: Add Bean”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- All versions of Hubspot CTA module.
Drupal core is not affected. If you do not use the contributed Hubspot CTA module, there is nothing you need to do.
Solution
If you use the Hubspot CTA module you should uninstall it.
Also see the Hubspot CTA project page.
Reported by
Fixed by
Not applicable.
Coordinated by
- Mori Sugimoto of the Drupal Security Team
- Dan Smith of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity