Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Project:

Link

Date:

2022-May-04

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross site scripting

Description:

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Solution:

Install the latest version:

If you use the Link module for Drupal 7.x, upgrade to Link 7.x-1.11

Reported By:

Brad Bulger

Fixed By:

Damien McKenna of the Drupal Security Team
Brad Bulger
Greg Knaddison of the Drupal Security Team

Coordinated By:

Greg Knaddison of the Drupal Security Team
Damien McKenna of the Drupal Security Team

Contribution record

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community