* Advisory ID: DRUPAL-SA-CONTRIB-2009-055 * Project: BUEditor (third-party module) * Version: 5.x, 6.x * Date: 2009 September 9 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The BUEditor [1] module provides a plain textarea editor designed to facilitate code writing. The module suffers from a Cross Site Scripting (XSS [2]) vulnerability, which allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page using the Live preview feature of BUEditor. -------- VERSIONS AFFECTED --------------------------------------------------- * BUEditor versions 6.x prior to 6.x-1.4 * BUEditor versions 5.x prior to 5.x-1.2 Drupal core is not affected. If you do not use the contributed BUEditor module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * Install BUEditor module version 6.x-1.4 [3] * Install BUEditor module version 5.x-1.2 [4] -------- REPORTED BY --------------------------------------------------------- * Reported by Derek Wright [5] of the Drupal security team, fixed by Ufuk Bayburt [6]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/bueditor [2] http://en.wikipedia.org/wiki/Cross_Site_Scripting [3] http://drupal.org/node/572780 [4] http://drupal.org/node/572786 [5] http://drupal.org/user/46549 [6] http://drupal.org/user/9910