AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019

Project:

AddToAny Share Buttons

Date:

2023-May-31

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross Site Scripting

Affected versions:

<1.21.0 || >=2.0.0 <2.0.4

Description:

This module provides social media share & follow buttons.

The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution:

Install the latest version:

If you use the AddToAny Share Buttons module for Drupal 9.4+ or 10, upgrade to AddToAny 2.0.4
If you use the AddToAny Share Buttons module for Drupal versions before 9.4, upgrade to AddToAny 8.x-1.21

Reported By:

Mitch Portier

Fixed By:

micropat
Vladimir Roudakov
Mitch Portier

Coordinated By:

Damien McKenna of the Drupal Security Team

Contribution record

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community