Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2010-005 - Own Term - Cross site scripting
by security-news＠drupal.org 13 Jan '10

13 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-005 * Project: Own Term (third-party module) * Version: 6.x-1.0 * Date: 2010-January-13 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Own Term module allows users to create taxonomy terms in a designated vocabulary and when creating content this term is automatically added to the node. The module does not sanitize the term description on a term listing page which opens a cross-site scripting (XSS [1]) attack. Users with a role containing the permission 'create additional terms' can exploit this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Own Term module 6.x-1.0 Drupal core is not affected. If you do not use the contributed Own Term module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Own Term module for Drupal 6.x upgrade to Own Term 6.x-1.1 [2] See also the Own Term project page [3]. -------- REPORTED BY --------------------------------------------------------- Benjamin Jeavons [4], Own Term module comaintainer. -------- FIXED BY ------------------------------------------------------------ Benjamin Jeavons [5], Own Term module comaintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/683544 [3] http://drupal.org/project/ownterm [4] http://drupal.org/user/91990 [5] http://drupal.org/user/91990

1 0

SA-CONTRIB-2010-004 - Node block - Cross site scripting
by security-news＠drupal.org 13 Jan '10

13 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-004 * Project: Node Block (third-party module) * Version: 6.13, 5.11 * Date: 2010-January-13 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module allows you to specify content type(s) as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access will see region and weight options on the node form. The Node Block module creates a block from specified content type(s). Node block doesn't properly escape titles allowing users with permissions to create/edit the specified content type(s) to inject arbitrary code into the site. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Node Blocks module 5.x-1.1 and prior versions * Node Blocks module 6.x-1.3 and prior versions Drupal core is not affected. If you do not use the contributed Feed Block module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Blocks module for Drupal 5.x upgrade to Node Blocks 5.x-1.2 [1] * If you use the Node Blocks module for Drupal 6.x upgrade to Node Blocks 6.x-1.4 [2] See also the Node Block project page [3]. -------- REPORTED BY --------------------------------------------------------- Martin Barbella [4] and Khalid Baheyeldin [5] -------- FIXED BY ------------------------------------------------------------ Thomas Turnbull [6]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/683586 [2] http://drupal.org/node/683584 [3] http://drupal.org/project/nodeblock [4] http://drupal.org/user/633600 [5] http://drupal.org/user/4063 [6] http://drupal.org/user/125573

1 0

SA-CONTRIB-2010-003 - Forward - Cross site scripting
by security-news＠drupal.org 06 Jan '10

06 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-003 * Project: Forward (third-party module) * Version: 6.x * Date: 2010-January-6 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Multiple XSS vulnerabilities -------- DESCRIPTION --------------------------------------------------------- This module allows users to forward a link to a specific node on your site to a friend. The Forward module does not properly sanitize user supplied data, allowing users with the "access administration pages" and "administer forward" permissions, or users with "access administration pages" and "administer site configuration" permissions to inject scripts into Drupal generated output, leading to a cross-site scripting (XSS [1]) vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Forward version prior to 6.x-1.12 Drupal core is not affected. If you do not use the contributed Forward [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: upgrade to Forward 6.x-1.12 [3]. See also the Forward module project page [4]. -------- REPORTED BY --------------------------------------------------------- mr.baileys [5] -------- FIXED BY ------------------------------------------------------------ mr.baileys [6]. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/forward [3] http://drupal.org/node/676494 [4] http://drupal.org/project/forward [5] http://drupal.org/user/383424 [6] http://drupal.org/user/383424

1 0

DRUPAL-SA-CONTRIB-2010-002 Cross site scripting in Currency Exchange
by security-news＠drupal.org 06 Jan '10

06 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2009-002 * Project: Currency Exchange (third-party module) * Version: 6.x * Date: 2009-January-6 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides a site with the ability to display currency exchange rates. The module does not sanitize some of the user-supplied data before logging it to the watchdog, leading to a cross-site scripting (XSS [1]) vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Currency Exchange version prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Currency Exchange [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: upgrade to Currency Exchange 6.x-1.2 [3]. See also the Currency Exchange module project page [4]. -------- REPORTED BY --------------------------------------------------------- mr.baileys [5] -------- FIXED BY ------------------------------------------------------------ mr.baileys [6] and kbahey [7] one of the module's maintainers. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/currency [3] http://drupal.org/node/676214 [4] http://drupal.org/project/currency [5] http://drupal.org/user/383424 [6] http://drupal.org/user/383424 [7] http://drupal.org/user/4063

1 0

SA-CONTRIB-2010-001 - Wunderbar - Cross Site Scripting
by security-news＠drupal.org 06 Jan '10

06 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-001 * Project: Wunderbar! (third-party module) * Version: 6.x * Date: 2010-January-6 * Security risk: Not Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Wunderbar! module provides a floating bar with configurable buttons and the ability to link off to social networking sites. The module does not properly escape user names, potentially allowing a cross site scripting [1] (XSS) attack which may lead to the user gaining full administrative access. The risk is mitigated by Drupal's default configuration, which disallows some characters (<, >, &, and quotes) in user names. A site would only be vulnerable to this attack if it uses an alternate means to create usernames. -------- VERSIONS AFFECTED --------------------------------------------------- * Wunderbar! versions 6.x prior to 6.x-0.6 Drupal core is not affected. If you do not use the Wunderbar! module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Wunderbar! for Drupal 6.x upgrade to Wunderbar! 6.x-0.6 [2] See also the Wunderbar! project page [3]. -------- REPORTED BY --------------------------------------------------------- Isaac Sukin [4]. -------- FIXED BY ------------------------------------------------------------ Bryan Ollendyke [5], the Wunderbar! project maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/675968 [3] http://drupal.org/project/wunderbar [4] http://drupal.org/user/201425 [5] http://drupal.org/user/24286

1 0

SA-CONTRIB-2009-115 - Autocomplete Widgets for CCK Text and Number - Information Disclosure
by security-news＠drupal.org 30 Dec '09

30 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-115 * Project: Autocomplete Widgets for CCK Text and Number (third-party module) * Version: 6.x * Date: 2009-December-30 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Autocomplete Widgets module adds 2 autocomplete widgets for CCK fields of type Text and Number. The autocomplete callback implemented by this module does not honor permissions to access CCK fields, allowing users to see field values even though they are not authorized to access that information. -------- VERSIONS AFFECTED --------------------------------------------------- * Autocomplete Widgets module 6.x-1.2 and prior versions on the 6.x-1.x branch Drupal core is not affected. If you do not use the contributed Autocomplete Widgets [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Autocomplete Widgets module for Drupal 6.x, upgrade to Autocomplete Widgets 6.x-1.3 [2] See also the Autocomplete Widgets module project page [3]. -------- REPORTED BY --------------------------------------------------------- mr.baileys [4] -------- FIXED BY ------------------------------------------------------------ markus_petrux [5], the Autocomplete Widgets module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/autocomplete_widgets [2] http://drupal.org/node/670928 [3] http://drupal.org/project/autocomplete_widgets [4] http://drupal.org/user/383424 [5] http://drupal.org/user/39593

1 0

SA-CONTRIB-2009-114 - Automated Logout - Cross Site Scripting
by security-news＠drupal.org 24 Dec '09

24 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-114 * Project: Automated Logout (third-party module) * Version: 6.x * Date: 2009-December-23 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides a site administrator the ability to log users out after a specified time of inactivity. The module does not sanitize some of the user-supplied data before displaying it, leading to a cross-site scripting (XSS [1]) vulnerability. Users who can take advantage of this vulnerability could gain administrator access to a site. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer autologout' permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Automated Logout module 6.x-1.6 and prior versions on the 6.x-1.x branch * Automated Logout module 6.x-2.2 and prior versions on the 6.x-2.x branch Note that the Drupal 5 version of the Automated Logout module is also affected, but the attacker must have a role with the 'administer site configuration' permission. The 'administer site configuration' permission is inherently unsafe and should only be granted to trusted users; therefore, this issue is not considered a security vulnerability for Drupal 5 (see http://drupal.org/node/475848). Drupal core is not affected. If you do not use the contributed Automated Logout [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Automated Logout module for Drupal 6.x, upgrade to either Automated Logout 6.x-1.7 [3] or Automated Logout 6.x-2.3 [4] See also the Automated Logout module project page [5]. -------- REPORTED BY --------------------------------------------------------- mr.baileys [6] -------- FIXED BY ------------------------------------------------------------ jvandervort [7], one of the Automated Logout module maintainers -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/autologout [3] http://drupal.org/node/667084 [4] http://drupal.org/node/667086 [5] http://drupal.org/project/autologout [6] http://drupal.org/user/383424 [7] http://drupal.org/user/35604

1 0

SA-CONTRIB-2009-113 - FAQ - Cross Site Scripting
by security-news＠drupal.org 23 Dec '09

23 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-113 * Project: FAQ (third-party module) * Version: 5.x, 6.x * Date: 2009-December-23 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Frequently Asked Questions (faq) module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer faq', 'create faq' or 'edit faq' permissions. If using the FAQ module with the FAQ Ask module, the attacker may also exploit the vulnerability if they have the 'ask question' permission. -------- VERSIONS AFFECTED --------------------------------------------------- * FAQ module 5.x-2.13 and prior versions * FAQ module 6.x-1.10 and prior versions Drupal core is not affected. If you do not use the contributed FAQ [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FAQ module for Drupal 5.x upgrade to FAQ 5.x-2.14 * If you use the FAQ module for Drupal 6.x upgrade to FAQ 6.x-1.11 See also the FAQ module project page [3]. -------- REPORTED BY --------------------------------------------------------- * stella [4] (the module maintainer) -------- FIXED BY ------------------------------------------------------------ * stella [5] (the module maintainer) -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/faq [3] http://drupal.org/project/faq [4] http://drupal.org/user/66894 [5] http://drupal.org/user/66894

1 0

SA-CORE-2009-009 - Drupal Core - Cross site scripting
by security-news＠drupal.org 16 Dec '09

16 Dec '09

* Advisory ID: DRUPAL-SA-CORE-2009-009 * Project: Drupal core * Version: 5.x, 6.x * Date: 2009-December-16 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross site scripting -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were discovered in Drupal. .... Contact category name cross-site scripting The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [1] (XSS). This issue affects Drupal 6.x and Drupal 5.x. .... Menu description cross-site scripting The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [2] (XSS). This issue affects Drupal 6.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 5.x before version 5.21. * Drupal 6.x before version 6.15. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 6.x then upgrade to Drupal 6.15 [3]. * If you are running Drupal 5.x then upgrade to Drupal 5.21 [4]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but do not contain other fixes which were released in Drupal 5.21 or Drupal 6.15. * To patch Drupal 6.14 use SA-CORE-2009-009-6.14.patch [5]. * To patch Drupal 5.20 use SA-CORE-2009-009-5.20.patch [6]. -------- REPORTED BY --------------------------------------------------------- The contact category XSS issue was independently reported by mr.baileys and Justin Klein Keane [7]. The menu description XSS issue was reported by mr.baileys [8]. -------- FIXED BY ------------------------------------------------------------ The contact category XSS issue was fixed by Justin Klein Keane [9] and Dave Reid [10]. The menu description XSS issue was fixed by Gábor Hojtsy [11] and Heine Deelstra [12]. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://ftp.drupal.org/files/projects/drupal-6.15.tar.gz [4] http://ftp.drupal.org/files/projects/drupal-5.21.tar.gz [5] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch [6] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-5.20.patch [7] http://drupal.org/user/302225 [8] http://drupal.org/user/383424 [9] http://drupal.org/user/302225 [10] http://drupal.org/user/53892 [11] http://drupal.org/user/4166 [12] http://drupal.org/user/17943

1 0

SA-CONTRIB-2009-112 - Sections - Cross Site Scripting
by security-news＠drupal.org 16 Dec '09

16 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-112 * Project: Sections (third-party module) * Version: 5.x, 6.x * Date: 2009-December-16 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Sections module allows the creation of sections within a site. Each section has an installed template, theme or style attached to it. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. Users who can take advantage of this vulnerability could gain administrator access to a site. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer sections' permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Sections module 5.x-1.2 and prior versions * Sections module 6.x-1.2 and prior versions Drupal core is not affected. If you do not use the contributed Sections [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Sections module for Drupal 5.x upgrade to Sections 5.x-1.3 [3] * If you use the Sections module for Drupal 6.x upgrade to Sections 6.x-1.3 [4] See also the Sections module project page [5] -------- REPORTED BY --------------------------------------------------------- Justin C. Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ Alexander Hass [7] the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/sections [3] http://drupal.org/node/660794 [4] http://drupal.org/node/660796 [5] http://drupal.org/project/sections [6] http://drupal.org/user/302225 [7] http://drupal.org/user/85918

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news