- Advisory ID: DRUPAL-SA-CONTRIB-2016-063
- Version: 7.x
- Date: 2016-December-07
- Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, Open Redirect, Multiple vulnerabilities
The module does not sufficiently check whether or not a callback is being properly accessed or filtering for potential XSS or CSRF exploits.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Install the latest version:
- If you use the js module for Drupal 7.x, upgrade to js 7.x-2.1
Note: this upgrade is not backwards compatible with 7.x-1.x. Existing contrib and custom module implementations of this API will either need to be upgraded, replaced or removed.
- Mark Carver (markcarver) - module maintainer
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity