Needs review
Project:
Nice dash
Version:
6.x-2.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
21 Jun 2012 at 15:01 UTC
Updated:
28 Oct 2013 at 21:10 UTC
Description:
Nice Dash module provides site administrators the ability to create dashboards with custom widgets.
The module doesn't sufficiently filter user-supplied data in its admin screens leading to a Cross Site Scripting (XSS) vulnerability which could allow a user to change workflows including injecting malicious scripts to exploit the XSS.
This vulnerability is mitigated by the fact that an attacker must have a role with the administer nice dashboard.
Versions Affected:
version affected: <= 6.x-2.x
See attached patch for a fix applied on the 6.x-2.x branch of nice_dash module.
| Comment | File | Size | Author |
|---|---|---|---|
| nice_dash_xss_fix.patch | 3.62 KB | lirantal |
Comments
Comment #1
damienmckennaThis should have been submitted as a security report!greggles reminded me that only modules with stable releases (which this doesn't have) are covered by the security procedures, all others should be handled via issues in the respective issue queues. I apologize for jumping the gun.