This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.
The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-end markup.
This vulnerability is mitigated by the fact that it can only be exploited by an attacker with permissions to administer TB Mega Menu, or a sophisticated anonymous user using a site-specific attack that exploits the Cross Site Request Forgery vulnerability that is fixed by this same release.
Install the latest version:
- If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu 8.x-1.4
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team