Open ReadSpeaker - Moderately critical - Cross site scripting - SA-CONTRIB-2020-024

drupal hosting

Project: Open ReadSpeaker
Version: 8.x-1.x-dev
Date: 2020-June-10
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.

The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution

Install the latest version:

If you use the Open ReadSpeaker module for Drupal 8.x, upgrade to Open ReadSpeaker 8.x-1.5

Also see the Open ReadSpeaker project page.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.