2024/02/28
Project: Coffee
Security risk: Moderately critical 13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Scripting
Affected versions: <7.x-2.4
Description
The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.
The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".
See also Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011.
Solution
Install the latest version.
If you use the Coffee module for Drupal 7, upgrade to Coffee 7.x-2.4.
Reported by
Fixed by
Coordinated by
- Greg Knaddison of the Drupal Security Team