- 🇦🇹Austria klausi 🇦🇹 Vienna
This was released as backdrop security fix in https://backdropcms.org/security/backdrop-sa-core-2024-001
Raising priority to critical as this is a small XSS vulnerability, but fortunately can only be exploited by trusted admins as Damien said.
Setting to "needs work" as I think we should do the same fix as Backdrop.
- Status changed to Needs review
6 months ago 8:47am 4 July 2024 - Status changed to RTBC
6 months ago 10:09am 4 July 2024 - 🇺🇸United States DamienMcKenna NH, USA
Thank you all for working on the fix and reviewing it.
- 🇧🇷Brazil renatog Campinas
If confirmed that is a security issue we should follow this instruction, right?!
Warning message
Security issues should not be reported here. Follow the procedure for reporting security issues → .
- 🇦🇹Austria klausi 🇦🇹 Vienna
It is a security issue, but it falls outside of the security advisory policy of the Drupal Security team. The vulnerability can only be exploited if the attacker has an elevated permission "administer fields". Therefore we can fix this in public (not sure why Backdrop issued an advisory).
Clarified that in the issue summary
- 🇺🇸United States DamienMcKenna NH, USA
Thanks Klausi.
Put another way - this is a minor security hardening issue for some rare scenarios, rather than a something a non-admin would be able to exploit.
- Status changed to Active
5 months ago 9:15am 12 July 2024 - 🇦🇹Austria klausi 🇦🇹 Vienna
Oh hm, @jenlampton replied in Slack that the Backdrop fix is not necessary for Drupal 7 because Views UI has an extra XSS filter that Backdrop does not have anymore. She is right, I tried to exploit this but could not get XSS to trigger when adding a field in the Views UI.
Is there any other place where these field labels are displayed?
Very sorry for the noise here, I should have tested my assumptions fully before escalating here. Downgrading the priority again and setting this back to active.
For the Views module in Drupal 7 I think we should not remove the extra XSS filter in Views UI, even if there could be some double escaping then. Keeping the potential double escaping is the secure choice at this point in the late D7 cycle.
Let me know if you see the XSS trigger and where exactly!