Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2022-July-27
Vulnerability:
Cross Site Scripting
Description:
This module enables you to conditionally display blocks in particular theme regions.
The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution:
Install the latest version:
- If you use the Context module for Drupal 7.x, upgrade to Context 7.x-3.11.
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
