You are here

V-216: Drupal Monster Menus Module Security Bypass and Script Insertion Vulnerabilities

August 12, 2013 - 6:00am

Addthis

 PROBLEM: 

Two vulnerabilities have been reported in the Monster Menus module for Drupal

 PLATFORM:

Drupal Monster Menus Module 6.x and 7.x

 ABSTRACT:

 

The vulnerabilities can be exploited by malicious users to bypass certain security restrictions and conduct script insertion attacks.

 REFERENCE LINKS:

 

Secunia Advisory SA54391
Drupal Security Advisory
CVE-2013-4229
CVE-2013-4230

 IMPACT ASSES SMENT:

 

Medium

DISCUSSION:

1) Input passed via the title when editing page settings is not properly sanitised before being edited the next time. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

2) An error due to the mm_webform submodule not properly restricting access can be exploited to delete webform submissions.

IMPACT:

Security Bypass
Cross Site Scripting

SOLUTION:

Vendor recommends installing the latest version: 6.x-6.61 or 7.x-1.13

Addthis