Scoutnet vzw

We connect scouts!
Het is momenteel 28 Mrt 2024 9:28

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 31 Jan 2008 11:46 
Offline
Site Admin
Site Admin

Geregistreerd: 30 Sep 2002 23:00
Berichten: 1806
------------SA-2008-012 - PROJECT ISSUE TRACKING - XSS VULNERABILITY IN COMMENT SUMMARY TABLES------------

* Advisory ID: DRUPAL-SA-2008-012

* Project: Project issue tracking (third-party module)

* Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x

* Date: 2007-January-30

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Cross-site scripting (XSS)

------------DESCRIPTION------------

The Project issue tracking [ http://drupal.org/project/project_issue ] module provides a summary table to show changes in issue states between comments.
Users who have certain editing rights may be able to inject arbitrary code on pages containing these tables.

Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS).

------------VERSIONS AFFECTED------------

Project issue tracking (project_issue) versions:

* 5.x-2.x-dev from before 2008-01-30

* 5.x-1.2 and earlier

* 4.7.x-2.6 and earlier

* 4.7.x-1.6 and earlier

Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* Project issue tracking 5.x-2.0 [ http://drupal.org/node/216121 ]

* Project issue tracking 5.x-1.3 [ http://drupal.org/node/216120 ]

* Project issue tracking 4.7.x-2.7 [ http://drupal.org/node/216119 ]

* Project issue tracking 4.7.x-1.7 [ http://drupal.org/node/216118 ]

As a temporary workaround, sites can disable the 'maintain projects' and 'administer projects' permissions for all users.

See also the Project issue tracking project page [ http://drupal.org/project/project_issue ].

------------REPORTED BY------------

Chad Phillips [ http://drupal.org/user/22079 ] of the Drupal Security Team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 6 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.