[Security-news] SA-CONTRIB-2009-055 - BUEditor - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed Sep 9 17:32:54 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-055
* Project: BUEditor (third-party module)
* Version: 5.x, 6.x
* Date: 2009 September 9
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The BUEditor [1] module provides a plain textarea editor designed to
facilitate code writing. The module suffers from a Cross Site Scripting (XSS
[2]) vulnerability, which allows an attacker to hijack the account of a
logged in user by tricking them into visiting a seemingly innocent page using
the Live preview feature of BUEditor.
-------- VERSIONS AFFECTED
---------------------------------------------------
* BUEditor versions 6.x prior to 6.x-1.4
* BUEditor versions 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the contributed BUEditor
module there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
* Install BUEditor module version 6.x-1.4 [3]
* Install BUEditor module version 5.x-1.2 [4]
-------- REPORTED BY
---------------------------------------------------------
* Reported by Derek Wright [5] of the Drupal security team, fixed by Ufuk
Bayburt [6].
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/project/bueditor
[2] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[3] http://drupal.org/node/572780
[4] http://drupal.org/node/572786
[5] http://drupal.org/user/46549
[6] http://drupal.org/user/9910
More information about the Security-news
mailing list