E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080

Project: E-SignVersion: 7.x-1.9Date: 2018-December-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: This module allows for integration of Signature Pad, an electronic-signing
script, into Drupal for both nodes (content), the Field API (FAPI), and Webforms.
The module doesn't sufficiently filter user input when displaying a signature.
The vulnerability is mitigated by the fact that an attacker must have the ability to submit a signature. That permission might be associated with submitting a webform or creating or editing a node depending on site configuration.Solution: Install the latest version:

  • If you use the Esign module for Drupal 7.x, upgrade to Esign 7.x-1.10

Also see the E-Sign project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2018-080