Open Atrium – Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2015-174

Description

Open Atrium distribution enables you to create an intranet.

Open Atrium Core module doesn’t sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability (XSS).

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Open Atrium distribution 7.x-2.x versions prior to 7.x-2.51
  • Open Atrium Core module 7.x-2.x versions prior to 7.x-2.66

Drupal core is not affected. If you do not use the contributed Open Atrium Core module or the Open Atrium distribution, there is nothing you need to do.

Solution

If you use the Open Atrium distribution for Drupal 7.x:

If you use the Open Atrium Core module for Drupal 7.x:

If you are unable to update to Open Atrium 2.51 or oa_core 2.66, you can apply this patch to the oa_core module to fix the vulnerability until such time as you are able to completely upgrade to Open Atrium 2.51 or oa_core 2.66.

Also see the Open Atrium project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Leave a Reply