====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN424
_____________________________________________________________________

DATE                : 27/12/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running E-Sign for Drupal versions prior
                                      to 7.x-1.10.

=====================================================================
https://www.drupal.org/sa-contrib-2018-080
_____________________________________________________________________

E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080

Project: E-Sign
Version: 7.x-1.9
Date: 2018-December-19
Security risk: Moderately critical 14/25 AC:
Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross site scripting


Description:

This module allows for integration of Signature Pad, an electronic-
signing script, into Drupal for both nodes (content), the Field API
(FAPI), and Webforms.

The module doesn't sufficiently filter user input when displaying a
signature.

The vulnerability is mitigated by the fact that an attacker must have
the ability to submit a signature. That permission might be associated
with submitting a webform or creating or editing a node depending on
site configuration.


Solution:

Install the latest version:

    If you use the Esign module for Drupal 7.x, upgrade to Esign 7.x-1.10

Also see the E-Sign project page.


Reported By:

    Mitch Portier

Fixed By:

    Adam Weiss
    Mitch Portier

Coordinated By:

    Greg Knaddison of the Drupal Security Team

===============================================================
+ CERT-RENATER               | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel         | fax : 01-53-94-20-41           +
+ 75013 Paris                | email: cert@support.renater.fr +
===============================================================