[Security-news] SA-CONTRIB-2009-021 CCK comment reference - Cross site scripting

[security-news at drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-021
  * Project: CCK comment reference (third-party module)
  * Version: 6.x
  * Date: 2009 April 15
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross-site scripting (XSS)

-------- DESCRIPTION  
---------------------------------------------------------

CCK comment reference project, lets administrators define node fields that
are references to comments. When displaying a node edit form, the titles of
candidate referenced comments are not properly filtered, allowing malicious
users to inject arbitrary code on those pages. Such a cross site scripting
[1] (XSS) attack may lead to a malicious user gaining full administrative
access.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Versions of CCK comment reference for Drupal 6.x prior to 6.x-1.2

Drupal core is not affected. If you do not use the CCK comment reference
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use CCK comment reference for Drupal 6.x upgrade to CCK comment
    reference 6.x-1.2 [2]

See also the CCK comment reference project page [3].
-------- REPORTED BY  
---------------------------------------------------------

Kristof De Jaeger (swentel [4]).
-------- FIXED BY  
------------------------------------------------------------

Kristof De Jaeger (swentel [5]).
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/434842
[3] http://drupal.org/project/commentreference
[4] http://drupal.org/user/107403
[5] http://drupal.org/user/107403