Date:
Saturday, Mar 4th, 2017
Advisory ID:
BACKDROP-SA-CONTRIB-2017-001
Security risk:
Less Critical
Vulnerability:
Cross Site Scripting
Versions affected:
- Better Exposed filters 3.x versions prior to 3.4.0
Backdrop core is not affected. If you do not use the contributed Better Exposed filters module, there is nothing you need to do.
Description:
The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements.
The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".
Solution:
Install the latest version:
- If you use the Better Exposed Filters module for Backdrop 1.x, upgrade to Better Exposed Filters 1.x-3.4.0 or greater.
Reported By:
- Henri Medot (anrikun) for Drupal
Fixed By:
- Henri Medot (anrikun)
- Mike Keran (mikeker), the Drupal module maintainer
- Jennifer Lea Lampton, the Backdrop module maintainer
Coordinated By:
- Geoff St Pierre of the Backdrop CMS Security Team
- Klaus Purer of the Drupal Security Team