Critical and moderately critical security advisories for the The Better Mega Menu module

The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038

Project: The Better Mega Menu
Date: 2021-September-22
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities

Description

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-end markup.

This vulnerability is mitigated by the fact that it can only be exploited by an attacker with permissions to administer TB Mega Menu, or a sophisticated anonymous user using a site-specific attack that exploits the Cross Site Request Forgery vulnerability that is fixed by this same release.

The Better Mega Menu - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-039

Project: The Better Mega Menu
Date: 2021-September-22
Security risk: Moderately critical 13∕25 
Vulnerability: Cross Site Scripting

Description

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

It does not sufficiently sanitize user input such that an admin with permissions to edit a menu may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have permission to administer mega menus and/or create or edit menu links, to inject the XSS.

The Better Mega Menu - Critical - Cross Site Request Forgery - SA-CONTRIB-2021-040

Project: The Better Mega Menu
Date: 2021-September-22
Security risk: Critical 15∕25 
Vulnerability: Cross Site Request Forgery

Description

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

The module does not use CSRF tokens to protect routes for saving menu configurations.

This vulnerability can be exploited by an anonymous user.

The Better Mega Menu - Moderately critical - Access bypass - SA-CONTRIB-2021-041

Project: The Better Mega Menu
Date: 2021-September-22
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

This module has a vulnerability whereby users can select blocks as a menu item they don't have permission to view.

The vulnerability is mitigated by the fact that it can only be exploited by an attacker with the "Administer TB Mega Menu" permission.

Solution

Install the latest version:

If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu 8.x-1.4