From vmiklos at frugalware.org  Fri Jun 18 10:16:04 2010
From: vmiklos at frugalware.org (Miklos Vajna)
Date: Fri, 18 Jun 2010 10:16:04 +0200 (CEST)
Subject: [Frugalware-security] [ FSA-674 ] drupal-scheduler
Message-ID: <20100618081604.3649312D90F1@genesis.frugalware.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-674

Date: 2010-06-18
Package: drupal-scheduler
Vulnerable versions: <= 5.x_1.18-1
Unaffected versions: >= 5.x_1.19-1locris1
Related bugreport: http://bugs.frugalware.org/task/4228
CVE: No CVE, see http://drupal.org/node/810220

Description
===========

A vulnerability has been reported in the Scheduler module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.
Input passed via titles of unpublished nodes is not properly sanitised before being displayed to the users in the scheduled nodes overview list. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation requires "schedule (un)publishing of nodes" permissions.

Updated Packages
================

Check if you have drupal-scheduler installed:

	# pacman-g2 -Q drupal-scheduler

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy drupal-scheduler

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/674

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAkwbK0QACgkQZ7NElSD1Vhm/TgCgpcSVersC7K9RxRyQun3qyfkG
uP4An352ugCHEoDMN7/magtVIO5IDsQS
=qHeT
-----END PGP SIGNATURE-----