AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019

Project: AddToAny Share Buttons
Date: 2023-May-31
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting

Description

This module provides social media share & follow buttons.

The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution

Install the latest version:

• If you use the AddToAny Share Buttons module for Drupal 9.4+ or 10, upgrade to AddToAny 2.0.4
• If you use the AddToAny Share Buttons module for Drupal versions before 9.4, upgrade to AddToAny 8.x-1.21