Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2020-June-10
Vulnerability:
Cross site scripting
Affected versions:
<1.5.0
Description:
This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.
The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution:
Install the latest version:
- If you use the Open ReadSpeaker module for Drupal 8.x, upgrade to Open ReadSpeaker 8.x-1.5
Also see the Open ReadSpeaker project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
