Project
Date
Severity
Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-3.3
Description
The Get Directions module provides Google Maps-based directions between addresses, integrating with the Location module to display address information.
The module's `theme_getdirections_loadaddress()` function assembled address components (street, additional, city, province_name, postal_code, country) into an HTML string without passing them through `check_plain()`, meaning any HTML or JavaScript stored in those fields was output verbatim to the page.
This vulnerability is mitigated by the fact that an attacker must have permission to create or edit content with associated location fields.
Solution
Install the latest version.
If you use the Get Directions module for Drupal 7, upgrade to getdirections-7.x-3.3:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES