- Coffee module versions prior to 1.x-2.2.2
The Coffee module helps you to navigate through the Backdrop admin menus faster with a shortcut popup.
The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".
Upgrade your site to use the 1.x-2.2.2 version of the Coffee module.
- Michael Mol
- Oliver Köhler
- Klaus Purer of the D7 Security Group
- Jen Lampton of the Backdrop CMS Security Team
- Laryn Kragt Bakker
- Herb van Dool
- Jen Lampton of the Backdrop CMS Security Team