Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2011-025 - Juitter & Download Count - Cross Site Scripting (XSS)
by security-news＠drupal.org 22 Jun '11

22 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-025 * Project: Juitter - jQuery Twitter live search feeds [1] and Download Count [2] (third-party modules) * Version: 6.x * Date: 2011-June-22 * Security risk: Less critical [3] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Two modules are being unsupported due to cross site scripting issues. The Juitter module enables you to use Juitter, a jQuery plugin, to put live Twitter search results on your site. The Juitter module contains a cross site scripting (XSS [4]) vulnerability that can be exploited when setting up the module or translating the module's text strings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer juitter settings" or be able to translate text strings. The Download Count module tracks downloads of files from a site. The Download Count module contains a cross site scripting (XSS [5]) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer download count". -------- VERSIONS AFFECTED --------------------------------------------------- * Juitter module: 6.x-1.3 * Download Count module: 6.x-1.x, 6.x-2.x Drupal core is not affected. If you do not use the contributed Juitter - jQuery Twitter live search feeds [6] or the Download Count [7] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Disable the Juitter module and remove the module from your filesystem. There is no fixed version of the Juitter module available. Disable the Download Count module and remove the module from your filesystem. There is no fixed version of the Juitter module available. See also the Juitter - jQuery Twitter live search feeds project page [8] and the Download Count [9] project page . -------- REPORTED BY --------------------------------------------------------- * Maurits Lawende [10] identified the Juitter issue. * Justin Klein Keane [11] identified the Download Count issue. -------- FIXED BY ------------------------------------------------------------ These modules have not been fixed, please disable and remove the module from your file system. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/juitter [2] http://drupal.org/project/download_count [3] http://drupal.org/security-team/risk-levels [4] http://en.wikipedia.org/wiki/Cross-site_scripting [5] http://en.wikipedia.org/wiki/Cross-site_scripting [6] http://drupal.org/project/juitter [7] http://drupal.org/project/download_count [8] http://drupal.org/project/juitter [9] http://drupal.org/project/download_count [10] http://drupal.org/user/243897 [11] http://drupal.org/user/302225 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

PSA-2011-002 - External libraries and plugins
by security-news＠drupal.org 15 Jun '11

15 Jun '11

* Advisory ID: PSA-2011-002 * Date: 2011-June-15 * Project: External libraries and plugins -------- DESCRIPTION --------------------------------------------------------- Just like there's a need to dilligently follow announcements and update contributed modules downloaded from Drupal.org, there's also a need to follow announcements by vendors of third-party libraries or plugins that are required by such modules. Drupal's update module has no functionality to alert you to these announcements. The Drupal security team will not release announcements about security issues in external libraries and plugins. The specific issue precipitating this public service announcement is a cross site scripting vulnerability in (F)CKEditor, a common JavaScript-based WYSIWYG editor used as a library in the modules CKeditor [1], FCKEditor [2] and WYSIWYG [3]. Exploit examples are circulating. -------- VERSIONS AFFECTED --------------------------------------------------- * CKEditor versions prior to version 3.5.4 * FCKEditor versions prior to version 2.6.4.1 -------- SOLUTION ------------------------------------------------------------ Follow release announcements by the vendors of the external libraries and plugins you use. In this specific case, remove the _samples directory from the (f)ckeditor installation or upgrade to a non-vulnerable version. Make sure to test compatibility between Drupal modules and new library versions before deploying. -------- REPORTED BY --------------------------------------------------------- The Drupal security was alerted to this issue by Henry Sudhof [4]. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/ckeditor [2] http://drupal.org/project/fckeditor [3] http://drupal.org/project/wysiwyg [4] http://drupal.org/node/874498

1 0

SA-CONTRIB-2011-024 - Spam - Cross Site Request Forgery (CSFR)
by security-news＠drupal.org 09 Jun '11

09 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-024 * Project: Spam [1] (third-party module) * Version: 6.x * Date: 2011-June-08 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Spam module provides numerous tools to auto-detect and deal with spam content that is posted to your site, without having to rely on third-party services. The Spam module provides a trainable Bayesian filter, automatic learning of spammer URLs, flagging of content with an excessive number of links, the ability to create custom filters, and more. The module does not properly protect "mark as spam" links against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into marking content as spam. Wikipedia has more information about cross-site request forgery [3]. -------- VERSIONS AFFECTED --------------------------------------------------- * Spam module 6.x-1.x versions prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed Spam [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the spam module for Drupal 6.x upgrade to 6.x-1.1 [5] See also the Spam [6] project page. -------- REPORTED BY --------------------------------------------------------- * Gerhard Killesreiter [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Gerhard Killesreiter [8] a module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/spam [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/spam [5] http://drupal.org/node/1183114 [6] http://drupal.org/project/spam [7] http://drupal.org/user/227 [8] http://drupal.org/user/227 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-023 - Prepopulate - Multiple vulnerabilities
by security-news＠drupal.org 08 Jun '11

08 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-023 * Project: Prepopulate (third-party module) * Version: 6.x * Date: 2011-June-08 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Multiple -------- DESCRIPTION --------------------------------------------------------- The Prepopulate module enables pre-populating forms in Drupal using the $_REQUEST vairable. The module does not adequately validate user input leading to an cross-site scripting (XSS) possibility in certain circumstances. Users privileged to use forms with certain form fields can insert arbitrary HTML and script code into the rendered form. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [1] (XSS). The module does not properly protect the forms against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into submitting unintended values on a form. Wikipedia has more information about cross-site request forgery [2]. -------- VERSIONS AFFECTED --------------------------------------------------- * Prepopulate module for Drupal 6.x versions prior to 6.x-2.2 Drupal core is not affected. If you do not use the contributed Prepopulate [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.2 [4] -------- REPORTED BY --------------------------------------------------------- * XSS by Ezra B. Gildesgame (ezra-g) [5] * CSRF by David Rothstein (David_Rothstein), of the Drupal security team [6] -------- FIXED BY ------------------------------------------------------------ * XSS by Ezra B. Gildesgame (ezra-g) [7] * CSRF by Joshua Brauer (jbrauer), Module maintainer [8] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/project/prepopulate [4] http://drupal.org/node/1182972 [5] https://drupal.org/user/69959 [6] http://drupal.org/user/124982 [7] https://drupal.org/user/69959 [8] http://drupal.org/user/12363 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-022 - Cosign - SQL Injection
by security-news＠drupal.org 08 Jun '11

08 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-022 * Project: cosign [1] (third-party module) * Version: 6.x * Date: 2011-MONTH-XX * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- Under certain conditions the module deletes uid 1 and then does an unparameterized db_query to insert a new uid 1. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer site configuration" and must be able to remotely manipulate the web server environmental variables REMOTE_USER and REMOTE_REALM. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-1.4 * 6.x-1.5 * 6.x-1.6 Drupal core is not affected. If you do not use the contributed cosign [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Cosign module for Drupal 6.x, upgrade to version 6.x-1.7. See also the cosign [4] project page. -------- REPORTED BY --------------------------------------------------------- * Steven Merrill [5] -------- FIXED BY ------------------------------------------------------------ * Kris Steinhoff [6] the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/cosign [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/cosign [4] http://drupal.org/project/cosign [5] http://drupal.org/user/218671 [6] http://drupal.org/user/388809/ [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities
by security-news＠drupal.org 25 May '11

25 May '11

* Advisory ID: DRUPAL-SA-CORE-2011-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2011-May-25 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities and weaknesses were discovered in Drupal. .... Reflected cross site scripting vulnerability in error handler A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites. This issue affects Drupal 6.x only. .... Cross site scripting vulnerability in Color module When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission. This issue affects Drupal 6.x and 7.x. .... Access bypass in File module When using private files in combination with a node access module, the File module allows unrestricted access to private files. This issue affects Drupal 7.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 7.x before version 7.1. * Drupal 6.x before version 6.21. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 7.x then upgrade to Drupal 7.1 [3] or 7.2 [4]. * If you are running Drupal 6.x then upgrade to Drupal 6.21 [5] or 6.22. [6] The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.1 [7] and Drupal 7.2 [8] or Drupal 6.21 [9] and Drupal 6.22 [10]. See the release announcement [11] for more information. See also the Drupal core [12] project page. -------- REPORTED BY --------------------------------------------------------- * The reflected cross site scripting vulnerability was reported by Heine Deelstra [13] (*). * The Color module cross site scripting vulnerability was reported by Kasper Lindgaard, Secunia Research. * The File access bypass was reported by Hubert Lecorche, and Peter Bex [14]. -------- FIXED BY ------------------------------------------------------------ * The reflected cross site scripting vulnerability was fixed by Alan Smithee. * The Color module cross site scripting vulnerability was fixed by Stéphane Corlosquet [15] (*), Heine Deelstra [16] (*), and Peter Wolanin [17] (*). * The File access bypass was fixed by Heine Deelstra [18] (*). (*) Member of the Drupal security team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [19]. Learn more about the Drupal Security team and their policies [20], writing secure code for Drupal [21], and securing your site [22]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1168910 [4] http://drupal.org/node/1168946 [5] http://drupal.org/node/1168908 [6] http://drupal.org/node/1168950 [7] http://drupal.org/node/1168910 [8] http://drupal.org/node/1168946 [9] http://drupal.org/node/1168908 [10] http://drupal.org/node/1168950 [11] http://drupal.org/drupal-7.2 [12] http://drupal.org/project/drupal [13] http://drupal.org/user/17943 [14] https://drupal.org/user/309898 [15] http://drupal.org/user/52142 [16] http://drupal.org/user/17943 [17] http://drupal.org/user/49851 [18] http://drupal.org/user/17943 [19] http://drupal.org/contact [20] http://drupal.org/security-team [21] http://drupal.org/writing-secure-code [22] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-021 - Webform - Multiple Vulnerabilities
by security-news＠drupal.org 18 May '11

18 May '11

* Advisory ID: DRUPAL-SA-CONTRIB-2010-021 * Project: Webform [1] (third-party module) * Version: 6.x, 7.x * Date: 2010-May-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Webform module enables you to create custom webform or survey nodes. These nodes typically may be created either by editorial teams or administrators. Webform does not sufficiently check directory access when a user configures an upload field. This may allow a user to upload malicious files to the server in unsafe locations but is mitigated by the fact that a properly configured will use directory access control to limit those locations. Webform also does not properly sanitize some user-submitted information leading to XSS vulnerabilities. Most of these vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "create webform content" or "administer nodes". The user must be able to create a webform node (or another node type that has been Webform-enabled) in order leverage these exploits. One vulnerability requires that a malicious user has a role that can submit a webform that accepts file uploads which is a more common scenario. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-2.10 * 6.x-3.9 * 7.x-3.9 Drupal core is not affected. If you do not use the contributed Webform [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the 2.10 or 3.9 versions of the module for Drupal 6.x upgrade to Webform 6.x-3.10 [4] (security fix only) or Webform 6.x-3.11 [5] (security fix and latest fixes/features), * If you use the 3.9 versions of the module for Drupal 7.x upgrade to Webform 7.x-3.10 [6] (security fix only) or Webform 7.x-3.11 [7] (security fix and latest fixes/features), See also the Webform [8] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [9] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [10] the module maintainer * Justin Klein Keane [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/webform [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webform [4] http://drupal.org/node/1161880 [5] http://drupal.org/node/1161904 [6] http://drupal.org/node/1161882 [7] http://drupal.org/node/1161906 [8] http://drupal.org/project/webform [9] http://drupal.org/user/302225 [10] http://drupal.org/user/35821 [11] http://drupal.org/user/302225 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-020 - Taxonomy Access Control Lite (tac_lite) - Cross Site Scripting
by security-news＠drupal.org 11 May '11

11 May '11

* Advisory ID: DRUPAL-SA-CONTRIB-2010-020 * Project: Taxonomy Access Control Lite [1] (third-party module) * Version: 6.x * Date: 2010-MAY-11 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The tac_lite module allows site administrators to hide nodes and taxonomy terms from users without permission to view them. The permission to view terms can be granted to a specific user, or all users with a specific role. The module doesn't sufficiently strip markup when rendering taxonomy names, leading to a Cross Site Scripting (XSS [3]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". Only users with the permission "administer tac_lite" are vulnerable to the attack. -------- VERSIONS AFFECTED --------------------------------------------------- * tac_lite 6.x-1.4 and earlier Drupal core is not affected. If you do not use the contributed Taxonomy Access Control Lite [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the tac_lite module for Drupal 6.x upgrade to tac_lite 6.x-1.5 [5] See also the Taxonomy Access Control Lite [6] project page. -------- REPORTED BY --------------------------------------------------------- * AlexisWilke [7] -------- FIXED BY ------------------------------------------------------------ * Dave Cohen [8] the module maintainer * Stéphane Corlosquet [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/tac_lite [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/tac_lite [5] http://drupal.org/node/1154232 [6] http://drupal.org/project/tac_lite [7] http://drupal.org/user/356197 [8] http://drupal.org/user/18468 [9] http://drupal.org/user/52142 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-019 - Menu Access - Cross Site Scripting
by security-news＠drupal.org 04 May '11

04 May '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-019 * Project: Menu Access [1] (third-party module) * Version: 6.x * Date: 2011-MAY-04 * Security risk: Moderately critical (definition of risk levels) [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Menu Access module provides global, menu specific, and per menu item security permissions by role and user account. The Menu Access module contains a cross site scripting (XSS) [3] vulnerability that can be exploited when a specially formatted menu description is viewed. This could result in administrative account compromise leading to web server process compromise. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer menu' permission which should generally only be granted to trusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Menu Access module for Drupal 6.x versions prior to 6.x-1.9 [4] Drupal core is not affected. If you do not use the contributed Menu Access [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Menu Access module for Drupal 6.x upgrade to upgrade to Menu Access 6.x-1.9 [6] See also the Menu Access [7] project page. -------- REPORTED BY --------------------------------------------------------- * Kyle Small [8] -------- FIXED BY ------------------------------------------------------------ * Robert Foley [9] the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://www.drupal.org/project/menu_access [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/node/1147032 [5] http://www.drupal.org/project/menu_access [6] http://drupal.org/node/1147032 [7] http://www.drupal.org/project/menu_access [8] http://drupal.org/user/832278 [9] http://drupal.org/user/234626 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-018 - Node Reference URL Widget - Cross Site Scripting
by security-news＠drupal.org 27 Apr '11

27 Apr '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-018 * Project: Node Reference URL Widget [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-April-27 * Security risk: Moderately critical (definition of risk levels) [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Node Reference URL Widget module adds a new widget to the Node Reference field type, allowing node reference fields to be auto-populated based on a value from the URL. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [3]) vulnerability that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Node Reference URL Widget module for Drupal 6 prior to 6.x-1.10. * Node Reference URL Widget module for Drupal 7 prior to 7.x-1.10. Drupal core is not affected. If you do not use the contributed Node Reference URL Widget [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Reference URL Widget module for Drupal 6.x upgrade to Node Reference URL Widget 6.x-1.10 [5]. * If you use the Node Reference URL Widget module for Drupal 7.x upgrade to Node Reference URL Widget 7.x-1.10 [6]. See also the Node Reference URL Widget [7] project page. -------- REPORTED BY --------------------------------------------------------- * Ralf Stamm [8] -------- FIXED BY ------------------------------------------------------------ * Nathan Haug (quicksketch [9]), the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://www.drupal.org/project/nodereference_url [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/nodereference_url [5] http://drupal.org/node/1140310 [6] http://drupal.org/node/1140312 [7] http://drupal.org/project/nodereference_url [8] http://drupal.org/user/43568 [9] http://drupal.org/user/35821 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news