------------MYSITE - CROSS SITE SCRIPTING------------
* Advisory ID: DRUPAL-SA-2006-032.
* Project: MySite (third-party module).
* Version: 4.7.0, 4.7.x-3.2, 5.x-1.2.
* Date: 2006-12-18.
* Security risk: Less critical.
* Exploitable from: Remote.
* Vulnerability: Cross site scripting.
------------DESCRIPTION------------
Data is not properly sanitised before being used in titles. This can be exploited to insert and execute arbitrary HTML and script code in a user's browser session in the context of an affected site. This may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia [
http://en.wikipedia.org/wiki/Cross_site_scripting].
------------VERSIONS AFFECTED------------
* MySite 5.x-1.2
* MySite 4.7.x-3.2
* MySite download prior to the new release system
Drupal core is not affected. If you do not use the contributed MySite module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* MySite 4.7.x-3.3 [
http://drupal.org//node/103960].
* MySite 5.x-1.3 [
http://drupal.org//node/103962].
See also the MySite project page [
http://drupal.org/project/mysite].
------------REPORTED BY------------
Mark Baggett.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact].