Date
Severity
Moderately Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-1.1

Description

The Fit Text module integrates the FitText jQuery plugin, which scales font sizes responsively based on CSS selectors configured by an administrator.

The fit_text_init() function in fit_text.module interpolates each configured selector directly into a JavaScript string without any encoding, so special characters including quotes, angle brackets, and script payloads pass through verbatim into the page's inline JavaScript.

This vulnerability is mitigated by the fact that exploiting it requires the "administer fittext" permission; however, because the injected JavaScript is emitted on every page, a compromised or malicious administrator account can affect all anonymous and authenticated visitors site-wide.

Solution

Install the latest version.

If you use the Fit Text module for Drupal 7, upgrade to fit_text 7.x-1.1:


Reported by

Fixed by

  • Tag1 D7ES

Coordinated by

  • Tag1 D7ES