Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2012-008
- Project: Video Filter (third-party module)
- Version: 6.x, 7.x
- Date: 2012-JANUARY-11
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display.
This vulnerability is mitigated by the fact that the attacker has to be able to either control the source of third party data (such as via DNS hijack) or manipulate it in transit.
- Video Filter 6.x-2.x and 6.x-3.x versions prior to 6.x-3.0.
- Video Filter 7.x-2.x and 7.x-3.x versions prior to 7.x-3.0.
Drupal core is not affected. If you do not use the contributed Video Filter module, there is nothing you need to do.
Install the latest version:
- If you use the Video Filter module for Drupal 6.x, upgrade to Video Filter 6.x-3.0
- If you use the Video Filter module for Drupal 7.x, upgrade to Video Filter 7.x-3.0
See also the Video Filter project page.
- Dave Reid, Drupal Security Team member
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.