Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Martin Barbella reported the following issues:
The name of the mp3 file is not properly sanitized when the javascript
to create the audio player is generated, resulting in a cross site
scripting vulnerability.
The module also fails to sanitize various inputs on the MP3 player
administration page. In the cases where the user is prompted for 6
digit hex values to use as colors for the player, it will only check
that the value is 6 characters long, and will not verify that it is
hexadecimal, but as this is both difficult to exploit, and requires
that the user can administer the MP3 player module, the rest of this
report will only focus on the previous vulnerability.
As the module has no releases, this can be solved in public.
NOTE: we were so far unable to reproduce the filename issue.
Comments
Comment #1
markie CreditAttribution: markie commentedIn future release, the XSS issue is addressed in the output. See patch in https://drupal.org/node/2050425
Comment #2
markie CreditAttribution: markie commentedNew branch created 6.x-2.x
Comment #3
markie CreditAttribution: markie commentedkilling all 6.x-1.x issues cause they are not applicable.