CVE-2024-13292
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Drupal Tooltip module allows attackers to inject malicious scripts into web pages viewed by other users. It affects all Drupal sites using the Tooltip module. The vulnerability enables attackers to steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- Drupal Tooltip module
📦 What is this software?
Tooltip by Tooltip Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain administrative access to the Drupal site, install backdoors, deface the website, or steal sensitive user data.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding, the impact is limited to potential script execution in user browsers without server compromise.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity. Attackers need to find input vectors where malicious scripts can be injected and executed in victim browsers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.2
Vendor Advisory: https://www.drupal.org/sa-contrib-2024-058
Restart Required: No
Instructions:
1. Update the Tooltip module to version 1.1.2 or later via Drupal's update manager. 2. Clear Drupal caches. 3. Verify the update was successful by checking the module version.
🔧 Temporary Workarounds
Disable Tooltip module
allTemporarily disable the vulnerable module until patching is possible
drush pm-disable tooltip
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in Drupal's security settings
🧯 If You Can't Patch
- Disable the Tooltip module immediately
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check if Tooltip module is installed and version is below 1.1.2 via Drupal admin interface or drush commandCheck Version:
drush pm-list --fields=name,version | grep tooltipVerify Fix Applied:
Verify Tooltip module version is 1.1.2 or higher and test input fields for proper sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests with script tags or JavaScript payloads to Tooltip-related endpoints
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in parameters
- Unusual outbound connections from user browsers after visiting Tooltip pages
SIEM Query:
source="web_server_logs" AND ("<script>" OR "javascript:" OR "onload=" OR "onerror=") AND uri="*tooltip*"