Description
The Fit Text module integrates the FitText jQuery plugin, which scales font sizes responsively based on CSS selectors configured by an administrator.
The fit_text_init() function in fit_text.module interpolates each configured selector directly into a JavaScript string without any encoding, so special characters including quotes, angle brackets, and script payloads pass through verbatim into the page's inline JavaScript.
This vulnerability is mitigated by the fact that exploiting it requires the "administer fittext" permission; however, because the injected JavaScript is emitted on every page, a compromised or malicious administrator account can affect all anonymous and authenticated visitors site-wide.
Solution
Install the latest version.
If you use the Fit Text module for Drupal 7, upgrade to fit_text 7.x-1.1:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES