Scoutnet vzw http://forum.scoutnet.be/ |
|
[Drupal] Security announcements: Flickr - XSS http://forum.scoutnet.be/viewtopic.php?f=19&t=2096 |
Pagina 1 van 1 |
Auteur: | To [ 03 Apr 2008 21:56 ] |
Titel: | [Drupal] Security announcements: Flickr - XSS |
------------SA-2008-022 - FLICKR - CROSS SITE SCRIPTING------------ * Advisory ID: DRUPAL-SA-2008-022 * Project: Flickr (third-party module) * Version: 5.x, 6.x * Date: 2008-April-02 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting ------------DESCRIPTION------------ The Flickr module allows one to access photos on one's site via the Flickr API. The module provides a filter for inserting photos and photosets and blocks for a user's recent photos and photosets. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages. ------------VERSIONS AFFECTED------------ * Flickr for Drupal 5.x prior to 5.x-1.3 * Flickr for Drupal 6.x prior to 6.x-1.0-alpha Drupal core is not affected. If you do not use the contributed Flickr module, there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * If you use Drupal 5.x install Flickr 5.x-1.3 [ http://drupal.org/node/241943 ]. * If you use Drupal 6.x install Flickr 6.x-1.0-alpha1. [ http://drupal.org/node/241941 ] See also the Flickr project page [ http://drupal.org/project/flickr ]. ------------REPORTED BY------------ Kees Cook [ https://wiki.ubuntu.com/KeesCook ] reported this issue. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |