Date
Severity
Less Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-1.1

Description

The Icon API: Menu module provides icon integration for Drupal menu items, allowing per-item configuration of icon display including an optional title wrapper element with a configurable CSS class.

The module failed to sanitize the title wrapper class setting before rendering it as an HTML attribute value, permitting injection of malicious HTML attributes and JavaScript into menu link output.

This vulnerability is mitigated by the fact that exploitation requires the "administer icons" or "administer menu icons" permission.

Solution

Install the latest version.

If you use the Icon API module for Drupal 7, upgrade to icon 7.x-1.1:


Reported by

Fixed by

  • Tag1 D7ES

Coordinated by

  • Tag1 D7ES