Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-111 - Views - Cross Site Scripting

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-111 - Views - Cross Site Scripting


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-111 - Views - Cross Site Scripting
  • Date: Wed, 15 Dec 2010 21:06:11 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-111
* Project: Views (third-party module)
* Version: 6.x
* Date: 2010-December-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION
---------------------------------------------------------

The Views module provides a flexible method for Drupal site designers to
control how lists and tables of content are presented. Under certain
circumstances, Views could display parts of the page path without escaping,
resulting in a relected Cross Site Scripting (XSS [1]) vulnerability. An
attacker could exploit this to gain full administrative access. *Mitigating
factors:* This vulnerability only occurs with a specific combination of
configuration options for a specific View, but this combination is used in
the default Views provided by some additional modules. A malicious user would
need to get an authenticated administrative user to visit a specially crafted
URL.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Views module for Drupal 6.x versions prior to 6.x-2.12

Drupal core is not affected. If you do not use the contributed Views [2]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.12 [3]

See also the Views project page [4].
-------- REPORTED BY
---------------------------------------------------------

* Alexander Kirienko [5]

-------- FIXED BY
------------------------------------------------------------

* Earl Miles (merlinofchaos [6]), module maintainer

-------- CONTACT
-------------------------------------------------------------

The Drupal security team [7] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/views
[3] http://drupal.org/node/999386
[4] http://drupal.org/project/views
[5] http://drupal.org/user/1019216
[6] http://drupal.org/user/26979
[7] http://drupal.org/security-team

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-111 - Views - Cross Site Scripting, security-news, 16.12.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang