------------SA-2008-012 - PROJECT ISSUE TRACKING - XSS VULNERABILITY IN COMMENT SUMMARY TABLES------------
* Advisory ID: DRUPAL-SA-2008-012
* Project: Project issue tracking (third-party module)
* Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x
* Date: 2007-January-30
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
------------DESCRIPTION------------
The Project issue tracking [
http://drupal.org/project/project_issue ] module provides a summary table to show changes in issue states between comments.
Users who have certain editing rights may be able to inject arbitrary code on pages containing these tables.
Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS).
------------VERSIONS AFFECTED------------
Project issue tracking (project_issue) versions:
* 5.x-2.x-dev from before 2008-01-30
* 5.x-1.2 and earlier
* 4.7.x-2.6 and earlier
* 4.7.x-1.6 and earlier
Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* Project issue tracking 5.x-2.0 [
http://drupal.org/node/216121 ]
* Project issue tracking 5.x-1.3 [
http://drupal.org/node/216120 ]
* Project issue tracking 4.7.x-2.7 [
http://drupal.org/node/216119 ]
* Project issue tracking 4.7.x-1.7 [
http://drupal.org/node/216118 ]
As a temporary workaround, sites can disable the 'maintain projects' and 'administer projects' permissions for all users.
See also the Project issue tracking project page [
http://drupal.org/project/project_issue ].
------------REPORTED BY------------
Chad Phillips [
http://drupal.org/user/22079 ] of the Drupal Security Team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].