- Advisory ID: DRUPAL-SA-CONTRIB-2015-174
- Project: Open Atrium (third-party module)
- Version: 7.x
- Date: 2015-December-16
- Security risk: 17/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Cross Site Scripting
Description
Open Atrium distribution enables you to create an intranet.
Open Atrium Core module doesn’t sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability (XSS).
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Open Atrium distribution 7.x-2.x versions prior to 7.x-2.51
- Open Atrium Core module 7.x-2.x versions prior to 7.x-2.66
Drupal core is not affected. If you do not use the contributed Open Atrium Core module or the Open Atrium distribution, there is nothing you need to do.
Solution
If you use the Open Atrium distribution for Drupal 7.x:
- Upgrade to Open Atrium 7.x-2.51
If you use the Open Atrium Core module for Drupal 7.x:
- Upgrade to Open Atrium Core 7.x-2.66
If you are unable to update to Open Atrium 2.51 or oa_core 2.66, you can apply this patch to the oa_core module to fix the vulnerability until such time as you are able to completely upgrade to Open Atrium 2.51 or oa_core 2.66.
Also see the Open Atrium project page.
Reported by
Fixed by
- kris84
- Mike Potter, a module maintainer
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity