Drupal Multiple XSS and Request Forgery Vulnerabilities
The application is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input. The Internationalization module is also prone to cross-site request forgery attacks while performing node translations.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can exploit the cross-site request-forgery issue by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker’s behalf using a victim’s currently active session. To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.
The vendor has released updates.
Vulnerable:
Drupal Localizer 5.x 3.3
Drupal Localizer 5.x 2.x-dev
Drupal Localizer 5.x 1.10
Drupal Internationalization 6.x 1.x-dev
Drupal Internationalization 5.x 2.2
Drupal Internationalization 5.x 1.x-dev
Not Vulnerable:
Drupal Localizer 5.x 3.4
Drupal Localizer 5.x 2.1
Drupal Localizer 5.x 1.11
Drupal Internationalization 6.x 1.0-beta1
Drupal Internationalization 5.x 2.3
Drupal Internationalization 5.x 1.1
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.