(Please note that the security team approved this as a public issue)
There is a Cross Site Scripting issue in Filter Tips (full listing) - coming from site name:
Reproduce:
Put
into Site name in configuration
Go to ?q=filter/tips
Result:
alert 'xssname - site'
Since you have to have "administer site configuration" permission to exploit this, there is really no attack vector - you already have elevated privileges.
This affects both 7.x and probably 6.x.
Just an issue now, patch later.
Comment | File | Size | Author |
---|---|---|---|
#1 | drupal.filter-tips-xss.1.patch | 1.82 KB | sun |
Comments
Comment #1
sunResolved.
Comment #2
sunComment #3
casey CreditAttribution: casey commentedPatch is good and still applies.
Comment #4
Dries CreditAttribution: Dries commentedCommitted to CVS.