DRUPAL-CONTRIB-2019-039

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/addtoany/DRUPAL-CONTRIB-2019-039.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-039

Published

2019-03-20T13:26:14Z

Modified

2025-12-10T23:33:29.067734Z

Summary

[none]

Details

This module enables you to add social media share buttons on your website to its content and pages.

The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer addtoany".

This advisory was edited on March 25th to add the affected 8.x-1.11 release.

References

https://www.drupal.org/sa-contrib-2019-039

Credits

- Balazs Janos Tatar
- - https://www.drupal.org/user/649590

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/addtoany

Package

Name: drupal/addtoany
Purl: pkg:composer/drupal/addtoany

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.11.0

Database specific

{
    "constraint": "<1.11.0"
}

Database specific

affected_versions

"<1.11.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/addtoany/DRUPAL-CONTRIB-2019-039.json"