CVE-2015-7980
Description
Cross-site scripting (XSS) vulnerability in the Compass Rose module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "embedding a JavaScript library from an external source that was not reliable."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Compass Rose module for Drupal 6.x before 6.x-1.1 contains a cross-site scripting vulnerability due to embedding an untrusted external JavaScript library.
Vulnerability
The Compass Rose module for Drupal 6.x, versions prior to 6.x-1.1, contains a Cross-Site Scripting (XSS) vulnerability. The module embeds a JavaScript library from an external source that was not reliable, allowing injection of arbitrary web script or HTML via unspecified vectors [3]. The vulnerability resides in the module's approach to loading external JavaScript, not in the jQueryRotate library itself [1].
Exploitation
An attacker can exploit this vulnerability by convincing a user to visit a page that uses the affected Compass Rose field, which triggers the untrusted external JavaScript library. The attack does not require authentication or special network position; the attacker only needs to craft a link or content that, when viewed by a victim, executes the injected script in the context of the victim's browser session [3].
Impact
Successful exploitation leads to arbitrary web script or HTML execution in the victim's browser. This can result in session theft, page defacement, or other client-side attacks, potentially compromising the victim's account or exposing sensitive information. The impact is limited to the browser session and does not directly affect server-side data [3].
Mitigation
The vulnerability is fixed in Compass Rose 6.x-1.1, released on August 4, 2015 [4]. Users should upgrade to this version immediately. No other workarounds are documented. The module is unsupported beyond this release [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3<6.x-1.1+ 1 more
- (no CPE)range: <6.x-1.1
- (no CPE)range: <6.x-1.1
- cpe:2.3:a:compass_rose_project:compass_rose:6.x-1.0:*:*:*:*:drupal:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.drupal.org/node/2545132nvdPatchVendor Advisory
- www.drupal.org/node/2546174nvdPatchVendor Advisory
- www.openwall.com/lists/oss-security/2015/10/24/4nvdMailing ListThird Party Advisory
- www.openwall.com/lists/oss-security/2015/10/26/2nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/76247nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.