Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] Security announcements: Taxonomy Image - XSS
http://forum.scoutnet.be/viewtopic.php?f=19&t=2134
Pagina 1 van 1

Auteur:  To [ 11 Jun 2008 18:30 ]
Titel:  [Drupal] Security announcements: Taxonomy Image - XSS

------------SA-2008-033 - TAXONOMY IMAGE - CROSS SITE SCRIPTING------------

* Advisory ID: SA-2008-033
* Project: Taxonomy Image (third-party module)
* Versions: 5.x and 6.x
* Date: 2008-June-11
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting

------------DESCRIPTION------------

The contributed module Taxonomy Image allows the display of images associated with taxonomy terms.

Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages (Cross Site Scripting [ http://en.wikipedia.org/wiki/Xss ]). This may lead to administrator access.

------------VERSIONS AFFECTED------------

* Taxonomy Image for Drupal 5.x before Taxonomy Image 5.x-1.3
* Taxonomy Image for Drupal 6.x before Taxonomy Image 6.x-1.3

Drupal core is not affected. If you do not use the contributed Taxonomy Image module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use Taxonomy Image 5.x-1.x upgrade to Taxonomy Image 5.x-1.3 [ http://drupal.org/node/265780 ]
* If you currently use Taxonomy Image 6.x-1.x upgrade to Taxonomy Image 6.x-1.3 [ http://drupal.org/node/265779 ]

See also the Taxonomy Image project page [ http://drupal.org/project/taxonomy_image ].

------------REPORTED BY------------

Owen Barton (Grugnog2 [ http://drupal.org/user/19668 ]).

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/