Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Project:

Image Field Caption

Date:

2022-May-04

Security risk:

Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross Site Scripting

Affected versions:

<1.2.0

Description:

Image Field Caption (image_field_caption) adds an extra text area for captions on image fields.

The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.

The vulnerability is mitigated by several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.

Solution:

Install the latest version:

If you use the image_field_caption module for Drupal 9.x, upgrade to image_field_caption 8.x-1.2

Reported By:

Patrick Fey

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
Damien McKenna of the Drupal Security Team

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter @drupalsecurity or Mastodon drupalsecurity@drupal.community.

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community