I have several sites which make extensive use of Nodequeue and Entityqueue for D7 doesn't have some key features that I use. I'm pleased to see some movement towards getting the security issue fixed. I'm wondering what kind of a risk we're taking by continuing to utilize the module as is.

I realize that specifics of a security risk are often withheld to avoid encouraging its exploitation, but it would be helpful to know what level of risk we're talking about and how we can monitor to see whether something has happened. I had contacted clients and explained that we'd be moving to Nodequeue and now am wondering what to tell them.

Thanks for any light you can shed.

Comments

HallSL created an issue. See original summary.

ciss’s picture

ciss commented
Status: Active » Fixed

Now that the module has a new maintainer it is again covered by the security advisory policy.

Additionally a new release containing a fix for latest vulnerability has been published, and SA-CONTRIB-2019-085 has been updated with more details:

Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loaded.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "manipulate queues".

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.