Project:
Focal Point
Version:
7.x-1.1
7.x-1.0
Date:
2019-February-13
Security risk:
Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability:
Cross site scripting
Description:
This module enables a privileged user to specify the important part of an image for the purposes of cropping.
The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.
This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.
Solution:
Install the latest version:
If you use the focal_point module for Drupal 7.x, upgrade to Focal Point 7.x-1.2
Release notes
Security Issue 168858 by poiu, bleen, greggles: Fixed possible XSS issue (89 seconds ago)
2981114: Preview Page: Add unique class to each image by jedihe: Preview Page: Added unique class to each image (8 months ago)
2699577: Odd inconsistency on first upload of image by SpaghettiBolognese, DamienMcKenna: Fixed odd inconsistency on first upload of image (11 months ago)
2354887: Offset with container margin by janmilinds, Tessa Bakker, bleen: Fixed offset with container margin (1 year, 4 months ago)
2906767: Link for creating new Image style is breaking in case of localhost by anup.singh: Fixed link to create a new image style on localhost (9 minutes ago)
2848694: Follow up for #2832030: Custom focal point overwritten by defautl data. by das-peter, pribeh, Ice-D: Follow up for #2832030: Calculate intial focal point for existing images: Custom focal point overwritten by default data (7 months ago)
2833786: Coding Standards by renatog: Coding Standards (9 months ago)
2832020: Intial focal point setting not calculated for Media browser fields by bmunslow: Initial focal point setting not calculated for Media browser fields (9 months ago)
2832030: Calculate intial focal point for existing images by bmunslow: Calculate initial focal point for existing images (9 months ago)
2823678: Fix Drupal coding standard - spacing issues by prince_zyxware: Fix Drupal coding standard - spacing issues (11 months ago)
2739887: When removing title/alt fields from files using file_entity gives a notice by SpadXIII: Fixed notice when removing title/alt fields from files using file_entity
2508668: Allow alteration of focal point on save by thePanz, bleen: Allow alteration of focal point on save (Added new hooks: hook_focal_point_save, hook_focal_point_delete, hook_focal_point_presave_alter)
2570507: Set the focal point default for Image Preview link on the File Add/Edit pages by Daniel Korte: Fixed the focal point default for Image Preview link on the File Add/Edit pages
2453429: Update test drive image to use file default scheme, so remote schemes work by scottrigby: Update test drive image to use file default scheme, so remote schemes work
2480641: Focal point doesn't show dimensions to admin unless loaded on an empty cache. by Sam152: Focal point doesn't show dimensions to admin unless loaded on an empty cache
2414193: Failure in hidden vertical tab by bleen18, cmonnow: Fixed failure in hidden vertical tab
2464139: Can't use a click to set focal point in Firefox by cmonnow, bleen18: Can't use a click to set focal point in Firefox
2426345: Can't set Focal Point on file entities that has no fields by kris84: Fixed can't set Focal Point on file entities that have no fields
2370865: Algorithm for a smart default focal point by GaëlG: Improved the algorithm for a smart default focal point
https://www.drupal.org/sa-contrib-2019-015
Project: Focal Point Version: 7.x-1.1 7.x-1.0 Date: 2019-February-13 Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross site scripting Description: This module enables a privileged user to specify the important part of an image for the purposes of cropping.
The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.
This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget. Solution: Install the latest version:
If you use the focal_point module for Drupal 7.x, upgrade to Focal Point 7.x-1.2
https://www.drupal.org/project/focal_point/releases/7.x-1.2
Release notes Security Issue 168858 by poiu, bleen, greggles: Fixed possible XSS issue (89 seconds ago)
2981114: Preview Page: Add unique class to each image by jedihe: Preview Page: Added unique class to each image (8 months ago)
2699577: Odd inconsistency on first upload of image by SpaghettiBolognese, DamienMcKenna: Fixed odd inconsistency on first upload of image (11 months ago)
2354887: Offset with container margin by janmilinds, Tessa Bakker, bleen: Fixed offset with container margin (1 year, 4 months ago)
https://www.drupal.org/project/focal_point/releases/7.x-1.1
Release notes
2906767: Link for creating new Image style is breaking in case of localhost by anup.singh: Fixed link to create a new image style on localhost (9 minutes ago)
2848694: Follow up for #2832030: Custom focal point overwritten by defautl data. by das-peter, pribeh, Ice-D: Follow up for #2832030: Calculate intial focal point for existing images: Custom focal point overwritten by default data (7 months ago)
2833786: Coding Standards by renatog: Coding Standards (9 months ago)
2832020: Intial focal point setting not calculated for Media browser fields by bmunslow: Initial focal point setting not calculated for Media browser fields (9 months ago)
2832030: Calculate intial focal point for existing images by bmunslow: Calculate initial focal point for existing images (9 months ago)
2823678: Fix Drupal coding standard - spacing issues by prince_zyxware: Fix Drupal coding standard - spacing issues (11 months ago)
https://www.drupal.org/project/focal_point/releases/7.x-1.0
Release notes
2739887: When removing title/alt fields from files using file_entity gives a notice by SpadXIII: Fixed notice when removing title/alt fields from files using file_entity
Code style fixes
https://www.drupal.org/project/focal_point/releases/7.x-1.0-beta6
Release notes The primary reason for this release is to fix the error caused by an update hook in the previous release...
2661230: Does not convert existing Imagefield Focus data by bleen, valsgalore: Fixes does not convert existing Imagefield Focus data
2653332: Error on upgrade by jsst, bleen: Fixing error on upgrade
https://www.drupal.org/project/focal_point/releases/7.x-1.0-beta5
Release notes
2508668: Allow alteration of focal point on save by thePanz, bleen: Allow alteration of focal point on save (Added new hooks: hook_focal_point_save, hook_focal_point_delete, hook_focal_point_presave_alter)
2570507: Set the focal point default for Image Preview link on the File Add/Edit pages by Daniel Korte: Fixed the focal point default for Image Preview link on the File Add/Edit pages
2453429: Update test drive image to use file default scheme, so remote schemes work by scottrigby: Update test drive image to use file default scheme, so remote schemes work
2480641: Focal point doesn't show dimensions to admin unless loaded on an empty cache. by Sam152: Focal point doesn't show dimensions to admin unless loaded on an empty cache
2414193: Failure in hidden vertical tab by bleen18, cmonnow: Fixed failure in hidden vertical tab
2464139: Can't use a click to set focal point in Firefox by cmonnow, bleen18: Can't use a click to set focal point in Firefox
2426345: Can't set Focal Point on file entities that has no fields by kris84: Fixed can't set Focal Point on file entities that have no fields
2370865: Algorithm for a smart default focal point by GaëlG: Improved the algorithm for a smart default focal point