• Advisory ID: DRUPAL-SA-CONTRIB-2012-002
  • Project: Lingotek Collaborative Translation (third-party module)
  • Version: 6.x
  • Date: 2012-January-04
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

CVE: CVE-2012-1624

This module enables you to translate a website's content using tools provided by the Lingotek Collaborative Translation Network.

The module doesn't sufficiently sanitize user input when creating or editing page content. This allows a malicious content editor to potentially input malicious code (e.g. Javascript) to create a persistent Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit or create node content types.

Versions affected

  • Lingotek 6.x-1.x versions prior to 6.x-1.4 6.x-1.40.

Drupal core is not affected. If you do not use the contributed Lingotek Collaborative Translation module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Lingotek module for Drupal 6.x, upgrade to Lingotek 6.x-1.4 Lingotek 6.x-1.40.

See also the Lingotek Collaborative Translation project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.