<div dir="ltr"><br><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-contrib-2024-058" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2024-058</a><br>
<br>
Project: Tooltip [1]<br>
Date: 2024-November-06<br>
Security risk: *Moderately critical* 13 ∕ 25<br>
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]<br>
Vulnerability: Cross site scripting<br>
<br>
Affected versions: <1.1.2<br>
Description: <br>
This module enables you to add any HTML content you want in a tooltip<br>
displayed on mouse hover.<br>
<br>
The module does not sufficiently escape the markup inserted in the tooltip<br>
block.<br>
<br>
This vulnerability is mitigated by the fact that an attacker must have a role<br>
with the permission "administer blocks".<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * If you use the Tooltip module for Drupal 8.x, 9.x or 10.x, upgrade to<br>
     Tooltip 1.1.2 [3]<br>
<br>
Reported By: <br>
   * Pierre Rudloff [4]<br>
<br>
Fixed By: <br>
   * Matthieu Scarset [5]<br>
<br>
Coordinated By: <br>
   * Greg Knaddison [6] of the Drupal Security Team<br>
   * Juraj Nemec [7] of the Drupal Security Team<br>
   * Ivo Van Geertruyen [8] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/tooltip" rel="noreferrer" target="_blank">https://www.drupal.org/project/tooltip</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/tooltip/releases/1.1.2" rel="noreferrer" target="_blank">https://www.drupal.org/project/tooltip/releases/1.1.2</a><br>
[4] <a href="https://www.drupal.org/user/3611858" rel="noreferrer" target="_blank">https://www.drupal.org/user/3611858</a><br>
[5] <a href="https://www.drupal.org/user/3471281" rel="noreferrer" target="_blank">https://www.drupal.org/user/3471281</a><br>
[6] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[7] <a href="https://www.drupal.org/user/272316" rel="noreferrer" target="_blank">https://www.drupal.org/user/272316</a><br>
[8] <a href="https://www.drupal.org/u/mrbaileys" rel="noreferrer" target="_blank">https://www.drupal.org/u/mrbaileys</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><br class="gmail-Apple-interchange-newline">===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div>