[Security-news] SA-CONTRIB-2009-008 - Taxonomy Theme - Cross site scripting
security-news at drupal.org
security-news at drupal.org
Sat Feb 28 19:48:24 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-008
* Project: Taxonomy Theme (third-party module)
* Version: 5.x
* Date: 2009 February 28
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
-------- DESCRIPTION
---------------------------------------------------------
The Taxonomy Theme module allows a website adminstrator to change the theme
of a given content item based on taxonomy, vocabulary or content type. It
does not properly sanitize user-supplied data on a number of places. This
allows users with the "administer taxonomy" permission, or, when tagging is
enabled, the ability to submit content, to insert arbitrary HTML and scripts
into certain pages. Such a cross site scripting [1] (XSS) attack against
sufficiently privileged users may lead to adminstrator access to the site.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of Taxonomy Theme for Drupal 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the contributed Taxonomy Theme
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Taxonomy Theme for Drupal 5.x upgrade to Taxonomy Theme 5.x-1.2
[2]
See also the Taxonomy Theme project page [3].
-------- REPORTED BY
---------------------------------------------------------
This vulnerability was publicly disclosed.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/386942
[3] http://drupal.org/project/taxonomy_theme
More information about the Security-news
mailing list