As an academic group, we wanted to improve the look and feel of our website on a tight budget. The team at Project Ricochet was consistently responsive to our concerns and willing to help us meet our goals. They were transparent with their costs, which allowed us to pick and choose which features and changes we deemed most important. Thanks to this transparency, our new website is a substantial improvement over the old that we were able to achieve in a cost-effective fashion.
—Justin Inman, UCSF

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Wed, 2022-05-04 09:01 — Anonymous (not verified)

Project: LinkDate: 2022-May-04Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: This module enables you to add URL fields to entity types with a variety of options.
The module doesn't sufficiently filter output when token processing is disabled on an individual field.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.Solution: Install the latest version:

If you use the Link module for Drupal 7.x, upgrade to Link 7.x-1.11

Reported By:

Brad Bulger

Fixed By:

Damien McKenna of the Drupal Security Team
Brad Bulger
Greg Knaddison of the Drupal Security Team

Coordinated By:

Greg Knaddison of the Drupal Security Team
Damien McKenna of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2022-034

Search form

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034