------------SA-2008-033 - TAXONOMY IMAGE - CROSS SITE SCRIPTING------------
* Advisory ID: SA-2008-033
* Project: Taxonomy Image (third-party module)
* Versions: 5.x and 6.x
* Date: 2008-June-11
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
------------DESCRIPTION------------
The contributed module Taxonomy Image allows the display of images associated with taxonomy terms.
Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages (Cross Site Scripting [
http://en.wikipedia.org/wiki/Xss ]). This may lead to administrator access.
------------VERSIONS AFFECTED------------
* Taxonomy Image for Drupal 5.x before Taxonomy Image 5.x-1.3
* Taxonomy Image for Drupal 6.x before Taxonomy Image 6.x-1.3
Drupal core is not affected. If you do not use the contributed Taxonomy Image module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* If you currently use Taxonomy Image 5.x-1.x upgrade to Taxonomy Image 5.x-1.3 [
http://drupal.org/node/265780 ]
* If you currently use Taxonomy Image 6.x-1.x upgrade to Taxonomy Image 6.x-1.3 [
http://drupal.org/node/265779 ]
See also the Taxonomy Image project page [
http://drupal.org/project/taxonomy_image ].
------------REPORTED BY------------
Owen Barton (Grugnog2 [
http://drupal.org/user/19668 ]).
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].