Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities
  • Date: Wed, 15 Sep 2010 19:27:23 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-092
* Project: Advanced Book Blocks (third-party module)
* Version: 6.x
* Date: 2010-September-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery

-------- DESCRIPTION
---------------------------------------------------------

The Advanced Book Blocks module enables you to integrate with the API
provided by the JQuery Menu module (version 1.8 and higher) to provide click
and expand book menus with the ability to customize each block individually.
The module contained Cross Site Scripting vulnerabilities which could allow a
malicious user with one of several non-default permissions to inject
arbitrary javascript into the administrative pages provided by this module.
The module also contained Cross Site Request Forgery vulnerabilities which
could allow an attacker to trick an administrator into unintentionally
deleting or resetting blocks provided by this module.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Advanced Book Blocks module for Drupal 6.x versions prior to 6.x-2.2

Drupal core is not affected. If you do not use the contributed Advanced Book
Blocks [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use the Advanced Book Blocks module for Drupal 6.x upgrade to
Advanced Book Blocks 6.x-2.2 [2]

See also the Advanced Book Blocks [3].
-------- REPORTED BY
---------------------------------------------------------

* Matt Chapman
, of the Drupal Security Team.

-------- FIXED BY
------------------------------------------------------------

* Aaron Hawkins
, the module maintainer.
* Matt Chapman
, of the Drupal Security Team.

-------- CONTACT
-------------------------------------------------------------

The Drupal security team [4] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/advancedbookblocks
[2] http://drupal.org/node/912586
[3] http://drupal.org/project/advancedbookblocks
[4] http://drupal.org/security-team

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities, security-news, 15.09.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang