=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN308
_____________________________________________________________________

DATE                : 11/07/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running TinyBox for DRUPAL versions 7.x.

======================================================================
http://drupal.org/node/2038807
______________________________________________________________________

SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)
Posted by Drupal Security Team on July 10, 2013 at 2:24pm

    Advisory ID: DRUPAL-SA-CONTRIB-2013-057
    Project: TinyBox (Simple Splash) (third-party module)
    Version: 7.x
    Date: 2013-July-10
    Security risk: Moderately critical
    Exploitable from: Remote
    Vulnerability: Cross Site Scripting


Description

TinyBox module uses TinyBox, a lightweight and standalone modal window
script. The main purpose of this module is to provide Splash
Screen/Window as simple as possible.

The module doesn't filter user-supplied text prior to display. The
vulnerability is mitigated by the fact that an attacker must have the
permission "administer tinybox."

CVE identifier(s) issued

    A CVE identifier will be requested, and added upon issuance, in
accordance with Drupal Security Team processes.


Versions affected

    TinyBox 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed TinyBox
(Simple Splash) module, there is nothing you need to do.


Solution

Install the latest version:

    If you use the TinyBox module for Drupal 7.x, upgrade to TinyBox
7.x-2.2

Also see the TinyBox (Simple Splash) project page.


Reported by

    Daniel Nitscher


Fixed by

    Wendy William, S.Kom the module maintainer


Coordinated by

    Greg Knaddison and Peter Wolanin of the Drupal Security Team


Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.

Categories: Drupal 7.x


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================