[Security-news] SA-CONTRIB-2012-005 - Vote up/down - Cross Site Scripting

* Advisory ID: DRUPAL-SA-CONTRIB-2012-005 * Project: Vote Up/Down [1] (third-party module) * Version: 6.x * Date: 2012-January-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting

-------- DESCRIPTION ---------------------------------------------------------

This module enables you to add voting widgets to nodes, terms and comments. The vud_term sub-module doesn't sufficiently sanitize taxonomy terms before display. In order to execute arbitrary script injection malicious users must have the ability to create or edit taxonomy terms.

-------- VERSIONS AFFECTED ---------------------------------------------------

* Vote up/down 6.x-2.x versions prior to 6.x-2.8 [3]. * Vote up/down 6.x-3.x versions prior to 6.x-3.1 [4].

Drupal core is not affected. If you do not use the contributed Vote Up/Down [5] module, there is nothing you need to do.

-------- SOLUTION ------------------------------------------------------------

Install the latest version:

* If you use a 6.x-2.x version of Vote up/down module for Drupal 6.x, upgrade to Vote up/down 6.x-2.8 [6]. * If you use a 6.x-3.x version of Vote up/down module for Drupal 6.x, upgrade to Vote up/down 6.x-3.1 [7].

See also the Vote Up/Down [8] project page.

-------- REPORTED BY ---------------------------------------------------------

* Justin C. Klein Keane [9]

-------- FIXED BY ------------------------------------------------------------

* Marco Villegas [10] the module maintainer * Greg Knaddison [11] of the Drupal Security Team

-------- COORDINATED BY ------------------------------------------------------

* Greg Knaddison [12], Drupal security team member

-------- CONTACT AND MORE INFORMATION ----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13].

Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16].

[1] http://drupal.org/project/vote_up_down [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1400528 [4] http://drupal.org/node/1400530 [5] http://drupal.org/project/vote_up_down [6] http://drupal.org/node/1400528 [7] http://drupal.org/node/1400530 [8] http://drupal.org/project/vote_up_down [9] http://drupal.org/user/302225 [10] http://drupal.org/user/132175 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration