------------CVS MANAGEMENT/TRACKER XSS------------
* Advisory ID: DRUPAL-SA-2006-028.
* Project: CVS management/tracker (third party module).
* Date: 2006-Dec-05.
* Security risk: less critical.
* Exploitable from: remote.
* Vulnerability: Cross site scripting.
------------DESCRIPTION------------
The motivation field of the CVS application page is not passed through check_markup on display. A malicious user may use this field to insert and execute XSS (Cross Site Scripting). This may lead to administrator access if certain conditions are met.
Learn more about XSS on Wikipedia [
http://en.wikipedia.org/wiki/Cross_site_scripting].
Revoking the "access CVS messages" permission provides an immediate workaround.
------------VERSIONS AFFECTED------------
* CVS management/tracker 4.7.x-1.0
* CVS management/tracker 4.7.x-2.0
* CVS management/tracker 4.7.0 (from before the new release system)
Drupal core is not affected. If you do not use the contributed CVS management/tracker module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* CVS management/tracker 4.7.x-1.1 [
http://drupal.org/node/101548].
* CVS management/tracker 4.7.x-2.1 [
http://drupal.org/node/101549].
If you are using a version of CVS management/tracker from before the new release system (4.7.0), upgrade to 4.7.x-1.1.
See also the CVS management/tracker project page [
http://drupal.org/project/cvslog].
------------REPORTED BY------------
Karthik aka Zen aka |gatsby|
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact].