Project:
Focal Point
Version:
7.x-1.1
7.x-1.0
Date:
2019-February-13
Security risk:
Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability:
Cross site scripting
Description:
This module enables a privileged user to specify the important part of an image for the purposes of cropping.
The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.
This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.
Solution:
Install the latest version:
If you use the focal_point module for Drupal 7.x, upgrade to Focal Point 7.x-1.2
Project: Focal Point Version: 7.x-1.1 7.x-1.0 Date: 2019-February-13 Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross site scripting Description: This module enables a privileged user to specify the important part of an image for the purposes of cropping.
The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.
This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget. Solution: Install the latest version:
If you use the focal_point module for Drupal 7.x, upgrade to Focal Point 7.x-1.2