"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

Wed, 2023-08-30 09:23 — Anonymous (not verified)

Project: Obfuscate EmailDate: 2023-August-30Security risk: Less critical 5∕25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <2.0.1Description: This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy.
The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value.
This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.Solution: Install the latest version:

If you use the Obfuscate Email module for Drupal 2.0.0, upgrade to Obfuscate Email 2.0.1

Reported By:

Pierre Rudloff

Fixed By:

Coordinated By:

cilefen of the Drupal Security Team
Damien McKenna of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-042

Search form

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042