[Security-news] SA-CONTRIB-2009-105 - Subgroups for Organic Groups - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed Nov 18 20:37:29 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-105
* Project: Subgroups for Organic Groups (third-party module)
* Version: 5.x
* Date: 2009-November-18
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Subgroups For Organic Groups module enables users to set group hierarchy.
The module does not filter the titles of some nodes before output, leading to
a cross-site scripting (XSS [1]) vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Subgroups For Organic Groups versions for Drupal 5.x prior to 5.x-4.0
Drupal core is not affected. If you do not use the contributed Subgroups For
Organic Groups module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use the Subgroups For Organic Groups 3.3 release for Drupal 5.x
upgrade to version 5.x-3.4 [2]
* If you use the Subgroups For Organic Groups 2.0 release for Drupal 5.x
upgrade to versions 5.x-3.4 [3] or 5.x-4.0 [4]
See also the Subgroups For Organic Groups [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* The vulnerability was reported by Greg Knaddison [6]
-------- FIXED BY
------------------------------------------------------------
* XSS vulnerability fixed by Ezra Barnett Gildesgame [7], Subgroups For
Organic Groups module maintainer
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[2] http://drupal.org/node/630004
[3] http://drupal.org/node/630004
[4] http://drupal.org/node/270602
[5] http://drupal.org/project/og_subgroups
[6] http://drupal.org/user/36762
[7] http://drupal.org/user/69959
More information about the Security-news
mailing list