Secunia
Login
|
|
|
|
|
|
|
|
|
Drupal Multiple Script Insertion Vulnerabilities
Release Date: 2008-02-28 Last Update: 2008-03-11 Views: 8,027
Secunia Advisory SA29118
Where:
From remote
Impact:
Cross Site Scripting,
Solution Status:
Vendor Patch
CVE Reference(s):
Description
Some vulnerabilities have been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks.
1) Input passed as titles is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed in content edit forms.
2) Input passed to unspecified parameters is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.
Successful exploitation requires in both cases that the attacker has valid user credentials.
The vulnerabilities are reported in version 6.0.
Solution:
Update to version 6.1.
Provided and/or discovered by:
1) The Drupal security team
2) The vendor credits Steve McKenzie.
Original Advisory:
DRUPAL-SA-2008-018:
http://drupal.org/node/227608
Deep Links:
Links available to Secunia VIM customers
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com
Subject: Drupal Multiple Script Insertion Vulnerabilities
|
No posts yet |
|
You must be logged in to post a comment. |
