- Advisory ID: DRUPAL-SA-2006-008
- Project: Drupal core
- Date: 2006-Jun-01
- Security risk: less critical
- Impact: Drupal core
- Exploitable from: remote
- Vulnerability: cross-site scripting
Description
It is possible for a malicious user to insert and execute XSS into terms, due to lack of validation on output of the page title. The fix wraps the display of terms in check_plain()
.
Versions affected
- Drupal 4.6.x versions before Drupal 4.6.8.
- Drupal 4.7.x versions before Drupal 4.7.2.
Solution
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.8.
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.2.
To patch Drupal 4.6.7 use the http://drupal.org/files/sa-2006-008/4.6.7.patch.
To patch Drupal 4.7.1 use the http://drupal.org/files/sa-2006-008/4.7.1.patch.
Reported by
Bart Jansens
Contact
The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.