[Frugalware-security] [ FSA-529 ] drupal-simplenews
Miklos Vajna
vmiklos at frugalware.org
Fri Sep 26 23:03:45 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Frugalware Security Advisory FSA-529
Date: 2008-09-26
Package: drupal-simplenews
Vulnerable versions: <= 5.x_1.4-1
Unaffected versions: >= 5.x_1.5-1solaria1
Related bugreport: http://bugs.frugalware.org/task/3362
CVE: There is no CVE for this issue yet, see http://drupal.org/node/312944.
Description
===========
A vulnerability has been reported in the Simplenews module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.
Input passed as Newsletter categories is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.
Successful exploitation requires valid user credentials with the "administer taxonomy" permission.
Updated Packages
================
Check if you have drupal-simplenews installed:
# pacman-g2 -Q drupal-simplenews
If found, then you should upgrade to the latest version:
# pacman-g2 -Sy drupal-simplenews
Availability
============
The latest revision of this advisory is available at
http://frugalware.org/security/529
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info
iEYEARECAAYFAkjdTjEACgkQZ7NElSD1VhlhRwCglQzNF1PmeN1+Hzr4PsOz094S
5VgAn0aQDYeU5BpJVcLZ4r9XfmZmECU1
=TymW
-----END PGP SIGNATURE-----
More information about the Frugalware-security
mailing list