Project
Date
Severity
Less Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-1.1
Description
The Icon API: Menu module provides icon integration for Drupal menu items, allowing per-item configuration of icon display including an optional title wrapper element with a configurable CSS class.
The module failed to sanitize the title wrapper class setting before rendering it as an HTML attribute value, permitting injection of malicious HTML attributes and JavaScript into menu link output.
This vulnerability is mitigated by the fact that exploitation requires the "administer icons" or "administer menu icons" permission.
Solution
Install the latest version.
If you use the Icon API module for Drupal 7, upgrade to icon 7.x-1.1:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES