------------CONTENT CONSTRUCTION KIT - CROSS SITE SCRIPTING------------
* Advisory ID: DRUPAL-SA-2007-019
* Project: Content Construction Kit (CCK) (third-party module)
* Version: 4.7.x-1.x, 5.x-1.x
* Date: 2007-August-13
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
------------DESCRIPTION------------
The Content Construction Kit (CCK) allows site admins to create and customize node fields. The Nodereference module included in the CCK bundle defines fields referencing other nodes.
Two cross-site scripting (XSS) vulnerabilities were discovered :
* when a nodereference field is displayed using the 'plain' formatter.
* when a nodereference field is edited using the 'autocomplete text field' widget (only when _not_ using the 'advanced options - Views.module' for the field).
------------VERSIONS AFFECTED------------
* Nodereference (CCK - nodereference.module) 4.7.x-1.* before version 4.7.x-1.6.
* Nodereference (CCK - nodereference.module) 5.x-1.* before version 5.x-1.6.
Drupal core is not affected. If you do not use the contributed CCK / Nodereference module, there is nothing you need to do.
------------SOLUTION------------
Install the latest CCK release corresponding to your Drupal version: or
* CCK 4.7.x-1.6 [
http://drupal.org/node/166994 ].
* CCK 5.x-1.6 [
http://drupal.org/node/166992 ].
Disabling the Nodereference module provides an immediate workaround.
See also the CCK project page [
http://drupal.org/project/cck ].
------------REPORTED BY------------
Gerhard Killesreiter (killes [
http://drupal.org/user/227 ]) of the Drupal Security Team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].