Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities
BID:25321
Info
Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities
| Bugtraq ID: | 25321 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-4363 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 14 2007 12:00AM |
| Updated: | May 07 2015 05:36PM |
| Credit: | Gerhard Killesreiter, Drupal Security Team is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Drupal Content Construction Kit (CCK) 5.0-1.5 Drupal Content Construction Kit (CCK) 4.7.0-1.5 |
| Not Vulnerable: |
Drupal Content Construction Kit (CCK) 5.0-1.6 Drupal Content Construction Kit (CCK) 4.7.0-1.6 |
Discussion
Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities
Drupal Content Construction Kit is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before displaying it in dynamically generated content.
An attacker could exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Drupal Content Construction Kit is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before displaying it in dynamically generated content.
An attacker could exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Exploit / POC
Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities
Attackers can use a browser to exploit these issues.
Attackers can use a browser to exploit these issues.
Solution / Fix
Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities
Solution:
The vendor released updates to address these issues. Please see the references for more information.
Drupal Content Construction Kit (CCK) 5.0-1.5
Drupal Content Construction Kit (CCK) 4.7.0-1.5
Solution:
The vendor released updates to address these issues. Please see the references for more information.
Drupal Content Construction Kit (CCK) 5.0-1.5
-
Drupal cck-5.x-1.6.tar.gz
http://ftp.drupal.org/files/projects/cck-5.x-1.6.tar.gz
Drupal Content Construction Kit (CCK) 4.7.0-1.5
-
Drupal cck-4.7.x-1.6.tar.gz
http://ftp.drupal.org/files/projects/cck-4.7.x-1.6.tar.gz
References
Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities
References:
References:
- Drupal cck 5.x-1.6 Release Notes (Drupal)
- Drupal Modules Home Page (Drupal)
- Drupal cck 4.7.x-1.6 Release Notes (Drupal)
- Drupal Security Advisory DRUPAL-SA-2007-019 (Drupal)