Project:
Date:
2024-February-28
Vulnerability:
Cross Site Scripting
Affected versions:
<1.4.0
CVE IDs:
CVE-2024-13247
Description:
The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.
The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".
Solution:
Install the latest version:
- If you use the Coffee module for Drupal 10, upgrade to Coffee 8.x-1.4
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
