SA-CONTRIB-2011-044 - Homebox for Organic Groups Cross Site Scripting

By Drupal Security Team on 5 Oct 2011 at 17:42 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2011-044
Project: Homebox (third-party module)
Version: 6.x, 7.x
Date: 2011-October-05
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting (XSS)

Description

Homebox allows site administrators to create dashboards for their users, using blocks as widgets. Blocks in a Homebox page are resizeable, and reorderable by dragging.

Homebox OG is a submodule of Homebox which allows Organics Groups administrators to specify a Homebox to be used as the group homepage for any Organic Group. Homebox OG does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user account with a role permitted to create or edit an Organic Groups node.

Versions affected

Homebox 6.x-2.x versions.
Homebox 6.x-3.x versions prior to 6.x-3.0-beta3.
Homebox 7.x-2.x versions prior to 7.x-2.0-beta4.

Drupal core is not affected. If you do not use the contributed Homebox module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Homebox module for Drupal 6.x, upgrade to Homebox 6.x-3.0-beta5 note that 6.x-2.x branch is no longer supported users of 6.x-2.x should upgrade to 6.x-3.x
If you use the Homebox module for Drupal 7.x, upgrade to Homebox 7.x-2.0-beta6

If you do not use the contributed homebox_og module you do not need to upgrade.