Project
Date
Severity
Less Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-1.2
Description
The Boolean module defines a 3-state boolean field type for Drupal 7 (values: true/1, false/0, not set/-1), including a formatter that can wrap output values with configurable prefix and suffix strings.
The module outputs string directly as markup without sanitization, allowing a user with administer fields permission to store malicious HTML or JavaScript in field instance settings that is then rendered to all site visitors.
This vulnerability is mitigated by the fact that exploitation requires the administer fields permission, which is typically restricted to trusted administrators.
Solution
Install the latest version.
If you use the Boolean Field module for Drupal 7, upgrade to boolean 7.x-1.2:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES