"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Wed, 2022-05-04 09:06 — Anonymous (not verified)

Project: Doubleclick for Publishers (DFP)Date: 2022-May-04Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.
The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a Cross-Site-Scripting (XSS) vulnerability to target visitors of the site, including site admins with privileged access.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer DFP".Solution: Install the latest version:

If you use the Doubleclick for Publishers module for Drupal 9.x, upgrade to DFP 8.x-1.2

Note that the Drupal 7 version of this module is unaffected.Reported By:

John Herreño

Fixed By:

Coordinated By:

Lee Rowlands of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Damien McKenna of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2022-035

Search form

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035