drupal-cck

2008-10-19

Page content

Author: Miklos Vajna
Vulnerable: 5.x_1.7-1
Unaffected: 5.x_1.9-1solaria1

Some vulnerabilities have been reported in the Drupal Content Construction Kit (CCK), which can be exploited by malicious users to conduct script insertion attacks. Input passed to some fields settings forms (e.g. “field label”, “help text”, “allowed values”) is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires “administer content” privileges.

Bug Tracker URL: http://bugs.frugalware.org/task/3347

CVEs:

No CVE, see http://drupal.org/node/304093