Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service
by security-news＠drupal.org 10 Apr '13

10 Apr '13

View online: http://drupal.org/node/1966780 * Advisory ID: DRUPAL-SA-CONTRIB-2013-042 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2013-April-10 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service -------- DESCRIPTION --------------------------------------------------------- This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing a denial of service vulnerability. This vulnerability is mitigated by the fact that page caching must be enabled and the anonymous user role must be assigned a RESTWS permission, for example "access resource node". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * RESTWS 7.x-1.x versions prior to 7.x-1.3. * RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha5. Drupal core is not affected. If you do not use the contributed RESTful Web Services [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.3 [5] * If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.0-alpha5 [6] Also see the RESTful Web Services [7] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Tack [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Klaus Purer [9] the module maintainer * Stéphane Corlosquet [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/restws [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/restws [5] http://drupal.org/node/1966752 [6] http://drupal.org/node/1966758 [7] http://drupal.org/project/restws [8] http://drupal.org/user/96647 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/52142 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass
by security-news＠drupal.org 03 Apr '13

03 Apr '13

View online: http://drupal.org/node/1960406 * Advisory ID: DRUPAL-SA-CONTRIB-2013-041 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 7.x * Date: 2013-April-03 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the "access content" permission to see the titles of nodes which they should not be able to view. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ctools module for Drupal 7.x, upgrade to Ctools 7.x-1.3 [5] Also see the Chaos tool suite (ctools) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [7] of the Drupal Security Team * Cash Williams [8] -------- FIXED BY ------------------------------------------------------------ * Daniel Wehner [9] the module maintainer. * Cash Williams [10] * Lee Rowlands [11] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team * Ben Jeavons [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ctools [5] http://drupal.org/node/1960424 [6] http://drupal.org/project/ctools [7] http://drupal.org/user/36762 [8] http://drupal.org/user/421070 [9] http://drupal.org/user/99340 [10] http://drupal.org/user/421070 [11] http://drupal.org/user/395439 [12] http://drupal.org/user/395439 [13] http://drupal.org/user/36762 [14] http://drupal.org/user/91990 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass
by security-news＠drupal.org 03 Apr '13

03 Apr '13

View online: http://drupal.org/node/1960338 * Advisory ID: DRUPAL-SA-CONTRIB-2013-040 * Project: Commerce Skrill (Formerly Moneybookers) [1] (third-party module) * Version: 7.x * Date: 2013-April-03 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module integrates the Skrill online payment services [3] with Drupal Commerce. When processing Instant payment notifications (IPN), the "Moneybookers enterprise" payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forged notifications to be accepted as valid. The vulnerability is mitigated by the fact that it only affects the "Moneybookers enterprise" payment method. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- The "Moneybookers enterprise" payment method provided by the Commerce Skrill [5] contributed module in all versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Commerce Skrill (Formerly Moneybookers) [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. The "Moneybookers enterprise" payment method now requires the use of the hash security option. * Upgrade to Commerce Skrill 7.x-1.2 [7] * Go to the backoffice of Skrill and enable the securityHash verification following the Administration > Processing > Processing Settings section. * Get the security token, and paste it in the Secret key field of the payment method configuration form. Also see the Commerce Skrill (Formerly Moneybookers) [8] project page. -------- REPORTED BY --------------------------------------------------------- * Julien Dubreuil [9] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Julien Dubreuil [10] the module maintainer * Jonathan Sacksick [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/commerce_moneybookers [2] http://drupal.org/security-team/risk-levels [3] https://www.moneybookers.com/ads/partners/?p=Drupalcommerce [4] http://cve.mitre.org/ [5] http://drupal.org/project/commerce_moneybookers [6] http://drupal.org/project/commerce_moneybookers [7] http://drupal.org/node/1959998 [8] http://drupal.org/project/commerce_moneybookers [9] http://drupal.org/user/519520 [10] http://drupal.org/user/519520 [11] http://drupal.org/user/972218 [12] http://drupal.org/user/262198 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-039 - Commons Wikis - Access bypass & Privilege escalation
by security-news＠drupal.org 27 Mar '13

27 Mar '13

View online: http://drupal.org/node/1954766 * Advisory ID: DRUPAL-SA-CONTRIB-2013-039 * Project: Commons Wikis [1] (third-party module) * Version: 7.x * Date: 2013-March-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Wikis module is used by the distribution to provide specific wiki functionality. Versions 3.0 and earlier of the Commons Wikis module is vulnerable to an access bypass and privilege escalation vulnerability that allows anonymous users to post content into groups. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal Commons and Commons Wikis versions prior to 7.x-3.1. Drupal core is not affected. If you do not use the contributed Commons Wikis [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Commons Wikis module upgrade to Commons Wikis 7.x-3.1 [5] or install the latest version of the Drupal Commons distribution (7.x-3.1) which will include the fix for Commons Wikis Also see the Commons Wikis [6] project page. -------- REPORTED BY --------------------------------------------------------- Commons project maintainers: * Jakob Perry [7] * Joseph Pontani [8] * Ezra Gildesgame [9] -------- FIXED BY ------------------------------------------------------------ Commons project maintainers: * Jakob Perry [10] * Joseph Pontani [11] * Ezra Gildesgame [12] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [13] of the Drupal Security Team * Ben Jeavons [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/commons_wikis [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commons_wikis [5] http://drupal.org/node/1954768 [6] http://drupal.org/project/commons_wikis [7] http://drupal.org/user/45640 [8] http://drupal.org/user/1014606 [9] http://drupal.org/user/69959/ [10] http://drupal.org/user/45640 [11] http://drupal.org/user/1014606 [12] http://drupal.org/user/69959/ [13] http://drupal.org/user/36762 [14] http://drupal.org/user/91990 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-038 - Commons Groups - Access bypass & Privilege escalation
by security-news＠drupal.org 27 Mar '13

27 Mar '13

View online: http://drupal.org/node/1954764 * Advisory ID: DRUPAL-SA-CONTRIB-2013-038 * Project: Commons Groups [1] (third-party module) * Version: 7.x * Date: 2013-March-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Groups module is used by the distribution to provide specific Organic Groups customizations. Versions 3.0 and earlier of the Commons Groups module is vulnerable to an access bypass and privilege escalation vulnerability that allows anonymous users to post content into groups. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal Commons distribution and Commons Groups versions prior to 7.x-3.1. Drupal core is not affected. If you do not use the contributed Commons Groups [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Commons Groups module upgrade to Commons Groups 7.x-3.1 [5] or install the latest version of the Drupal Commons distribution (7.x-3.1) which will include the fix for Commons Groups Also see the Commons Groups [6] project page. -------- REPORTED BY --------------------------------------------------------- Commons project maintainers: * Joseph Pontani [7] * Jakob Perry [8] * Ezra Gildesgame [9] -------- FIXED BY ------------------------------------------------------------ Commons project maintainers: * Joseph Pontani [10] * Jakob Perry [11] * Ezra Gildesgame [12] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [13] of the Drupal Security Team * Ben Jeavons [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/commons_groups [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commons_groups [5] http://drupal.org/node/1954762 [6] http://drupal.org/project/commons_groups [7] http://drupal.org/user/1014606 [8] http://drupal.org/user/45640 [9] http://drupal.org/user/69959/ [10] http://drupal.org/user/1014606 [11] http://drupal.org/user/45640 [12] http://drupal.org/user/69959/ [13] http://drupal.org/user/36762 [14] http://drupal.org/user/91990 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-037 - Rules - Cross Site Scripting (XSS)
by security-news＠drupal.org 27 Mar '13

27 Mar '13

View online: http://drupal.org/node/1954592 * Advisory ID: DRUPAL-SA-CONTRIB-2013-037 * Project: Rules [1] (third-party module) * Version: 7.x * Date: 2013-March-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Rules module allows site administrators to define conditionally executed actions based on occurring events (known as reactive or ECA rules). It's a replacement with more features for the trigger module in core. The module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize rule tags before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer rules". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Rules 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed Rules [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Rules module for Drupal 7.x, upgrade to Rules 7.x-2.3 [5] Also see the Rules [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [7] -------- FIXED BY ------------------------------------------------------------ * Justin C. Klein Keane [8] * Wolfgang Ziegler [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/rules [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/rules [5] http://drupal.org/node/1954508 [6] http://drupal.org/project/rules [7] http://drupal.org/user/302225 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/16747 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-036 - Zero Point - Cross Site Scripting (XSS)
by security-news＠drupal.org 27 Mar '13

27 Mar '13

View online: http://drupal.org/node/1954588 * Advisory ID: DRUPAL-SA-CONTRIB-2013-036 * Project: Zero Point [1] (third-party module) * Version: 7.x * Date: 2013-March-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Zero Point is a theme which includes many options, ideal for a wide range of sites. The theme does not escape user supplied text which creates a reflected Cross site scripting (XSS) vulnerability in URLs. There are no mitigating factors. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * zeropoint 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed Zero Point [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Zero Point theme for Drupal 7.x, upgrade to zeropoint 7.x-1.9 [5] Also see the Zero Point [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dennis Walgaard [7] -------- FIXED BY ------------------------------------------------------------ * Florian Radut [8] the module maintainer * Dennis Walgaard [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/zeropoint [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/zeropoint [5] http://drupal.org/node/1953840 [6] http://drupal.org/project/zeropoint [7] http://drupal.org/user/883702 [8] http://drupal.org/user/35316 [9] http://drupal.org/user/883702 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)
by security-news＠drupal.org 20 Mar '13

20 Mar '13

View online: http://drupal.org/node/1948358 * Advisory ID: DRUPAL-SA-CONTRIB-2013-035 * Project: Views [1] (third-party module) * Version: 7.x * Date: 2013-March-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly prints some view configuration fields without proper sanitization opening a Cross-Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer vocabularies and terms" or other administer-related permissions from contributed modules that integrate with Views. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Views 7.x-3.x versions prior to 7.x-3.6. Drupal core is not affected. If you do not use the contributed Views [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.6 [5] Also see the Views [6] project page. -------- REPORTED BY --------------------------------------------------------- * Francisco José Cruz Romanos [7] -------- FIXED BY ------------------------------------------------------------ * Francisco José Cruz Romanos [8] * Daniel Wehner [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Ben Jeavons [11] of the Drupal Security Team * David Stoline [12] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/views [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/views [5] http://drupal.org/node/1948354 [6] http://drupal.org/project/views [7] http://drupal.org/user/848238 [8] http://drupal.org/user/848238 [9] http://drupal.org/user/99340 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/91990 [12] http://drupal.org/user/329570 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-034 - Node Parameter Control - Access Bypass
by security-news＠drupal.org 13 Mar '13

13 Mar '13

View online: http://drupal.org/node/1942330 * Advisory ID: DRUPAL-SA-CONTRIB-2013-034 * Project: Node Parameter Control [1] (third-party module) * Version: 6.x * Date: 2013-Mar-13 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to limit the visibility of the fields on the node edit form. The module doesn't sufficiently check access before allowing users to view and edit the configuration options allowing anonymous and authenticated users the ability to view and edit the configuration options. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All 6.x-1.x versions Drupal core is not affected. If you do not use the contributed Node Parameter Control [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module. No patched version is available. Also see the Node Parameter Control [5] project page. -------- REPORTED BY --------------------------------------------------------- * Talbot [6] -------- FIXED BY ------------------------------------------------------------ The module maintainer opted to mark the module as unsupported. -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/node_parameter_control [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/node_parameter_control [5] http://drupal.org/project/node_parameter_control [6] http://drupal.org/user/36138 [7] http://drupal.org/user/395439 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS)
by security-news＠drupal.org 27 Feb '13

27 Feb '13

View online: http://drupal.org/node/1929508 * Advisory ID: DRUPAL-SA-CONTRIB-2013-031 * Project: Premium Responsive [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Premium Responsive versions prior to 7.x-1.6 Drupal core is not affected. If you do not use the contributed Premium Responsive [4] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Premium Responsive 7.x-1.6 [5] Also see the Premium Responsive [6] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * saran.quardz [8] the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/responsive [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/responsive [5] http://drupal.org/node/1730752 [6] http://drupal.org/project/responsive [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news