Some vulnerabilities have been reported in the Project Issue Tracking module for Drupal, which can be exploited by malicious users to conduct script insertion attacks and compromise a vulnerable system.

1) The extension of uploaded files when e.g. creating a new issue are not properly verified. This can be exploited to upload arbitrary files.

Successful exploitation may require that the "Core upload module" is enabled (default setting for 5.x-2.x).

2) Certain input is not properly sanitised before being displayed in the summary table. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.

Note: Successful exploitation requires certain unspecified editing rights.

The vulnerabilities are reported in versions 5.x-2.x-dev from before 2008-01-30, 5.x-1.2 and earlier, 4.7.x-2.6 and earlier, and 4.7.x-1.6 and earlier.

Solution
Update to version 5.x-2.0, 5.x-1.3, 4.7.x-2.7, or 4.7.x-1.7.
Further details available in Customer Area

Provided and/or discovered by
1) Derek Wright, Drupal Security Team
2) Chad Phillips, Drupal Security Team

Changelog
Further details available in Customer Area

Original Advisory
http://drupal.org/node/216062
http://drupal.org/node/216063

Deep Links
Links available in Customer Area