Scoutnet vzw http://forum.scoutnet.be/ |
|
[Drupal] Security announcements: MySite http://forum.scoutnet.be/viewtopic.php?f=19&t=1732 |
Pagina 1 van 1 |
Auteur: | To [ 18 Dec 2006 11:51 ] |
Titel: | [Drupal] Security announcements: MySite |
------------MYSITE - CROSS SITE SCRIPTING------------ * Advisory ID: DRUPAL-SA-2006-032. * Project: MySite (third-party module). * Version: 4.7.0, 4.7.x-3.2, 5.x-1.2. * Date: 2006-12-18. * Security risk: Less critical. * Exploitable from: Remote. * Vulnerability: Cross site scripting. ------------DESCRIPTION------------ Data is not properly sanitised before being used in titles. This can be exploited to insert and execute arbitrary HTML and script code in a user's browser session in the context of an affected site. This may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia [http://en.wikipedia.org/wiki/Cross_site_scripting]. ------------VERSIONS AFFECTED------------ * MySite 5.x-1.2 * MySite 4.7.x-3.2 * MySite download prior to the new release system Drupal core is not affected. If you do not use the contributed MySite module, there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * MySite 4.7.x-3.3 [http://drupal.org//node/103960]. * MySite 5.x-1.3 [http://drupal.org//node/103962]. See also the MySite project page [http://drupal.org/project/mysite]. ------------REPORTED BY------------ Mark Baggett. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [http://drupal.org/contact]. |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |