Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2684 Meta tags quick - Moderately critical - Cross Site Scripting 18 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Contrib Metatags quick Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://www.drupal.org/sa-contrib-2019-057 - --------------------------BEGIN INCLUDED TEXT-------------------- Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057 Project: Meta tags quick Date: 2019-July-17 Security risk: Moderately critical 13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross Site Scripting Description: Metatags quick is a module that manages meta tags (tags that appear in HTML's head section) as Drupal 7 fields. Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks". Solution: Install the latest version. If you use the Metatags quick module for Drupal 7.x, upgrade to metatags quick 7.x-2.10. Reported By: * Yonatan Offek Fixed By: * Valery Lourie * Yonatan Offek Coordinated By: * Greg Knaddison of the Drupal Security Team Contact and more information The Drupal security team can be reached by email at security at drupal.org or via the contact form. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter @drupalsecurity - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXS/3lmaOgq3Tt24GAQjS8A//flRX3Yx8L7YdQ/WZJVu2BGEI+SxHkaL/ 2j36SUgVruxJpw6sA4ZxNbpLP207ye3MjgA1UQRbg2hz431RPT4a+5HhOrCxI0JI ieOjj99Z3sKTX0fJIBaLmmeNrwGwaqmNuE4YhLXpr/Gj2a+VeAGWm3nCE/SighN+ /8Leqj5u0BcfIQZPX7erkbsuKAsqLFBn/DyAEbzmM/2+wEj2lTjyxoJNucn7mKaa dUwtZ9b97xqj47FGwYC21L5DXDvOZA0lrFje4vVu8d53JCuH0bED12P8zkZvtoa6 X6PSvs5rax1k0TVsxUUvntOwZ9Fpw6pxuSLgG6N/59dVM52R6ZaeQ50YEbYo8qKJ kBm/o4L+t1N+LTxRAjuP1e4tPdHnRuE268tA2ug14rW4QUVVfbz3k6fLxzoX3bLa AxnHvqApyd+t7fHuZksB1bvynGZVjkBMx172a7HqUslqIC/eKKmLu4WYry/RPsA4 iwKHoJe6XR4jX+UWeYutshJwjd+dXRztKhKukCmJPvyMfDGN+SlsBtLCQoIMGZcM kFTE6NyCBqxPgk2O2a/VN5lNOrdVPZR24VBTkrizNt004vxJufGcj1UkTkPgO1f1 xx9cd28HM9lYslNbM5al6R2gty/u0Op43Lzg8d5MEZwblAyQqPJFWyuOt6d3uw9w rPwOdru9b+s= =JvBW -----END PGP SIGNATURE-----