Vigil@nce - Drupal Field Group: Cross Site Scripting
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can trigger a Cross Site Scripting in Field Group of
Drupal, in order to run JavaScript code in the context of the web
site.
Impacted products: Drupal Modules not comprehensive.
Severity: 2/4.
Creation date: 07/01/2016.
DESCRIPTION OF THE VULNERABILITY
The Drupal product offers a Field Group module, to group field on
entity forms and entity displays.
However, when a user adds an element in HTML format, this one can
contain JavaScript data, which are not filtered before being
inserted in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting in Field
Group of Drupal, in order to run JavaScript code in the context of
the web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Drupal-Field-Group-Cross-Site-Scripting-18649