Skip to main content

Coffee - Moderately critical - Cross Site Scripting - D7SECURITY-SA-CONTRIB-2024-001

· One min read

2024/02/28

Project: Coffee

Security risk: Moderately critical 13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability: Cross Site Scripting

Affected versions: <7.x-2.4

Description

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

See also Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011.

Solution

Install the latest version.

If you use the Coffee module for Drupal 7, upgrade to Coffee 7.x-2.4.

Reported by

Fixed by

Coordinated by