Closed
Bug 528174
Opened 15 years ago
Closed 15 years ago
[Security-news] SA-CONTRIB-2009-100 - AddToAny - Cross Site Scripting
Categories
(Websites Graveyard :: spreadfirefox.com, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: paul, Unassigned)
References
()
Details
(Keywords: wsec-xss)
* Advisory ID: DRUPAL-SA-CONTRIB-2009-100
* Project: AddToAny (third-party module)
* Version: 5.x, 6.x
* Date: 2009 November 11
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
AddToAny module provides a share button for AddToAny service for social
networks. The module fails to sanitize a value in node title, leading to a
Cross Site Scripting (XSS [1]) vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* AddToAny module for Drupal 6.x prior to AddToAny 6.x-2.4 [2]
* AddToAny module for Drupal 5.x prior to AddToAny 5.x-2.4 [3]
Drupal core is not affected. If you do not use the contributed AddToAny
module [4], there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use the AddToAny module for Drupal 6.x upgrade to AddToAny 6.x-2.4
[5]
* If you use the AddToAny module for Drupal 5.x upgrade to AddToAny 5.x-2.4
[6]
-------- REPORTED BY
---------------------------------------------------------
* Reported by Jakub Suchy [7] of the Drupal Security Team.
-------- FIXED BY
------------------------------------------------------------
* Fixed by Pat Diven [8], the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/601110
[3] http://drupal.org/node/630198
[4] http://drupal.org/project/addtoany
[5] http://drupal.org/node/601110
[6] http://drupal.org/node/630198
[7] http://drupal.org/user/31977
[8] http://drupal.org/user/260224
_______________________________________________
Security-news mailing list
Security-news@drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
Comment 1•15 years ago
|
||
r56013 updates the module on trunk
This module isn't in production yet, so no need for a push to production here.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Product: Websites → Websites Graveyard
Comment 2•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in
before you can comment on or make changes to this bug.
Description
•