[Security-news] SA-CONTRIB-2010-028 - Tag Order - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed Mar 17 20:50:52 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-028
* Project: Tag Order (third-party module)
* Version: 5.x, 6.x
* Date: 2010-March-17
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Tag Order module allows you to select vocabularies whose terms you would like
to preserve in the original order entered per node. Taxonomy vocabulary names
are not sanitized when being displayed on an administrative page, leading to
a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a
malicious user gaining full administrative access. Mitigating factor: only
users with the 'administer taxonomy' permission can enter or edit vocabulary
names.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Tag Order for Drupal 6.x prior to 6.x-1.4
* Tag Order for Drupal 5.x prior to 5.x-1.4
Drupal core is not affected. If you do not use the contributed Tag Order
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use Tag Order for Drupal 6.x upgrade to Tag Order 6.x-1.4 [2]
* If you use Tag Order for Drupal 5.x upgrade to Tag Order 5.x-1.4 [3]
See also the Tag Order project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Martin Barbella [5]
-------- FIXED BY
------------------------------------------------------------
* Martin Barbella [6]
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/745338
[3] http://drupal.org/node/745346
[4] http://drupal.org/project/tagorder
[5] http://drupal.org/user/633600
[6] http://drupal.org/user/633600
More information about the Security-news
mailing list