Closed Bug 463520 Opened 16 years ago Closed 16 years ago

SA-2008-069 - CCK for 5.x and 6.x - XSS vulnerabilities

Categories

(quality.mozilla.org :: Website, defect, P1)

Product:
quality.mozilla.org
Component:
Website
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED WORKSFORME

People

(Reporter: cbook, Assigned: abuchanan)

References

(
URL
)

Details

We should make sure that the new QMO gets the updated module before we go live again.

-----

SA-2008-069 - CCK for 5.x and 6.x - XSS vulnerabilities
Security announcements
Damien Tournoud - November 5, 2008 - 18:51

    * Advisory ID: DRUPAL-SA-2008-069
    * Project: Content Construction Kit (third-party module)
    * Versions: 5.x, 6.x
    * Date: 2008-November-5
    * Security risk: Minor
    * Exploitable from: Remote
    * Vulnerability: Cross site scripting

Description

The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.

Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access.

This is only an issue if you need any role separation between administrators and users with the "administer content" permission.
Versions Affected

    * CCK for Drupal 5.x prior to 5.x-1.10
    * CCK for Drupal 6.x prior to 6.x-2.0 (including all RC releases)

Drupal core is not affected. If you do not use the contributed CCK module, there is nothing you need to do.
Solution

Install the latest version:

    * For Drupal 5.x, install CCK 5.x-1.10
    * For Drupal 6.x, install CCK 6.x-2.0

See also the CCK project page.
Reported by

The cross site scripting issue was reported by CCK maintainers.
Priority: -- → P1
Assignee: nobody → buchanae
I believe the version we have for CCK (6.x-2.1+) is not effected, so we must have updated it a while back.  Marketing this WFM.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Mass move of bugs to new product
Component: quality.mozilla.org → QMO: Website
Product: Websites → QMO
verified, CCK 6.x-2.3 on production.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.