Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-September-22
Vulnerability:
Cross Site Scripting
Affected versions:
<1.4.0
Description:
This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.
It does not sufficiently sanitize user input such that an admin with permissions to edit a menu may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities.
This vulnerability is mitigated by the fact that an attacker must have permission to administer mega menus and/or create or edit menu links, to inject the XSS.
Solution:
Install the latest version:
- If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu 8.x-1.4
Reported By:
Fixed By:
- Patrick Fey
- Wade Stewart
- Greg Knaddison of the Drupal Security Team
- Chris Panza
- knaffles
Coordinated By:
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
