Drupal Services Single Sign-On Client Module Cross Site Scripting Vulnerability

The Services Single Sign-On Client module for Drupal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied text.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Services Single Sign-On Client 7.x-1.x-dev prior to 7.x-1.6 are affected.

Information

Bugtraq ID: 102189
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Nov 29 2017 12:00AM
Updated: Nov 29 2017 12:00AM
Credit: Scott Allison
Vulnerable: Drupal Services single sign-on client 7.x-1.x-dev
Drupal Services single sign-on client 7.x-1.5
Drupal Services single sign-on client 7.x-1.4
Drupal Services single sign-on client 7.x-1.3
Drupal Services single sign-on client 7.x-1.2
Drupal Services single sign-on client 7.x-1.1

Not Vulnerable: Drupal Services single sign-on client 7.x-1.6

Exploit

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

References:

• Drupal Homepage (Drupal)
  
• Releases for Services single sign-on client (Drupal)
  
• Services single sign-on client Module Homepage (Drupal)
  
• Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-20 (Drupal)
  

Source: www.securityfocus.com