Advanced Poll 6.x versions - XSS Vulnerability
During the weekend I discovered an XSS issue with the Advanced Poll module. I've made sure to provide a patch and submit this to the issue queue.
I have actually submitted a few other SAs in the past, one of them was for the nice_dash module, which aims to provide a dashboard interface for Drupal administrators, but unfortunately it wasn't yet commited.
Drupal Security Advistory - XSS vulnerability in Advanced Poll module versions 6.x-3.x and prior
Project: Advanced Poll (third-party module)
Version: 6.x-3.x and earlier
Date: 2013-10-25
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting
This module enables you to create advanced types of polls, such as binary and ranking poll, as the module calls them. The module did not sufficiently filter poll question titles for malicious JavaScript. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit polls.
Versions affected
Advanced Poll 6.x-3.x and all prior versions
Solution
Apply the patch
Reported by
Liran Tal <liran.tal@gmail.com>
Fixed by
Liran Tal <liran.tal@gmail.com>
Tags: drupaldrupal-planet