Drupal

SA-CONTRIB-2014-109 – Freelinking – Cross Site Scripting (XSS)

Leave a comment

Description

The Freelinking module implements a filter framework for easier creation of HTML links to other pages on the site or to external sites.

The module does not sanitize the node title when providing a link to the node, opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the person creating the content containing the link must have a role that allows use of an unsafe text format (e.g. “Full HTML”), or the Freelinking filter must be placed after all text sanitizion filters (e.g. “Limit allowed HTML tags”) in an otherwise safe text format (e.g. “Filtered HTML”).

Please note that this vulnerability also existed the freelinking_nodetitle.inc in versions prior to 6.x-3.4 and 7.x-3.4, but this was patched in releases 6.x-3.4 and 7.x-3.4.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Freelinking 6.x-x.x versions prior to 6.x-3.5.
  • Freelinking 7.x-x.x versions prior to 7.x-3.5.

Drupal core is not affected. If you do not use the contributed Freelinking module,
there is nothing you need to do.

Solution

Install the latest version:

Please note that the plugin freelinking_path.inc contains multible vulnerabilities and was removed in the releases 6.x-3.3 and 7.x-3.3. You should check to see if this file is still present, and if it is: Remove it from the plugin sub-directory before you install the latest version.

Also see the Freelinking project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: 
Drupal 6.x
Drupal 7.x

Leave a Reply