Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020

Project:

Office Hours

Date:

2023-June-14

Security risk:

Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross Site Scripting

Affected versions:

<1.11

Description:

This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer display" regardless of other configurations. In some scenarios, the vulnerability can be exploited by a user with "Create content" or "Edit content" for a relevant Content type.

Solution:

Install the latest version:

If you use the 'Office hours' module for Drupal 8.x, upgrade to office_hours 8.x-1.11

Reported By:

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team

Contribution record

Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community