Coffee - Moderately Critical - Cross Site Scripting

Project

Coffee 7.x-2.3

Date

February 26, 2025

Severity

Moderately Critical

Risk Score

13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability

Cross Site Scripting

Affected versions

≤7.x-2.3

Description

This is a port of a patched vulnerability by D7Security group in Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

This is a public release of the port of that patch, provided to Tag1 D7ES customers.

Solution

If you use the Coffee module, update to Coffee X.X [Link to our public GL repo]

coffee-7.x-Xtar.gz [Link to our public release file]
coffee-7.x-X.zip [Link to our public release file]

Reported by

Patrick Fey

Fixed by

Michael Mol
Klaus Purer
Oliver Köhler

Coordinated by

Tag1 D7ES