Security-news May 2012

security-news@drupal.org

1 participants
24 discussions

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557874 * Advisory ID: DRUPAL-SA-CONTRIB-2012-071 * Project: Glossify Internal Links Auto SEO [1] (third-party module) * Version: 6.x * Date: 2012-May-02 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module generates internal node to node, node to taxonomy or node to external URL links (crosslinks) automatically - ideal for SEO of your site's pages and partner pages. This module does not protect against an Cross Site Scripting (XSS) attack. The vulnerability is mitigated by the fact that the attacker must be able to create or edit any of: content (nodes), vocabularies, or terms. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-2.5 and before Drupal core is not affected. If you do not use the contributed Glossify Internal Links Auto SEO [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module, it is no longer supported. Also see the Glossify Internal Links Auto SEO [4] project page. -------- REPORTED BY --------------------------------------------------------- * Andrei Turcanu -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [5] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. [1] http://drupal.org/project/glossify [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/glossify [4] http://drupal.org/project/glossify [5] http://drupal.org/user/102818 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557872 * Advisory ID: DRUPAL-SA-CONTRIB-2012-070 * Project: Taxonomy Grid : Catalog [1] (third-party module) * Version: 6.x * Date: 2012-May-02 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected. This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an attacker would need the ability to create or edit a vocabulary or term. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-1.6 and before Drupal core is not affected. If you do not use the contributed Taxonomy Grid : Catalog [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module Also see the Taxonomy Grid : Catalog [4] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Tack [5] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/taxonomy_grid [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/taxonomy_grid [4] http://drupal.org/project/taxonomy_grid [5] http://drupal.org/user/96647 [6] http://drupal.org/user/102818 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557868 * Advisory ID: DRUPAL-SA-CONTRIB-2012-069 * Project: Addressbook [1] (third-party module) * Version: 6.x * Date: 2012-May-02 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection -------- DESCRIPTION --------------------------------------------------------- This module contains a simple addressbook. The module has multiple issues including SQL Injection and Cross Site Request Forgery. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-4.2 and before Drupal core is not affected. If you do not use the contributed Addressbook [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ This module is not supported. Uninstall the module. Also see the Addressbook [4] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Hess [5] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. [1] http://drupal.org/project/addressbook [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/addressbook [4] http://drupal.org/project/addressbook [5] http://drupal.org/user/102818 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557852 * Advisory ID: DRUPAL-SA-CONTRIB-2012-068 * Project: Node Gallery [1] (third-party module) * Version: 6.x * Date: 2012-May-02 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system. This module does not protect a CSRF attack when creating node galleries. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-3.1 and before Drupal core is not affected. If you do not use the contributed Node Gallery [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module, this module is no longer supported. Also see the Node Gallery [4] project page. -------- REPORTED BY --------------------------------------------------------- * Andrew Berry [5] -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/node_gallery [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/node_gallery [4] http://drupal.org/project/node_gallery [5] http://drupal.org/user/71291 [6] http://drupal.org/user/102818 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2012