Drupal Weblinks Multiple Unspecified HTML Injection Vulnerabilities

Bugtraq ID:	26125
Class:	Input Validation Error
CVE:	CVE-2007-5598
Remote:	Yes
Local:	No
Published:	Sep 22 2005 12:00AM
Updated:	Nov 15 2007 12:39AM
Credit:	Brandon Bergren is credited with the discovery of these vulnerabilities.
Vulnerable:	Drupal Weblinks 5.0-1.7 Drupal Weblinks 4.7.0-1.0 -dev
Not Vulnerable:	Drupal Weblinks 5.0-1.8 Drupal Weblinks 4.7.0-1.0

Drupal Weblinks Multiple Unspecified HTML Injection Vulnerabilities

Drupal Weblinks is prone to multiple unspecified HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

Drupal Weblinks Multiple Unspecified HTML Injection Vulnerabilities

An attacker can use a browser to exploit these issues.

Drupal Weblinks Multiple Unspecified HTML Injection Vulnerabilities

Solution:
The vendor released updates and an advisory to address these issues. Please see the references for more information.


Drupal Weblinks 4.7.0-1.0 -dev

• Drupal weblinks-4.7.x-1.0.tar.gz
  http://ftp.drupal.org/files/projects/weblinks-4.7.x-1.0.tar.gz

Drupal Weblinks 5.0-1.7

• Drupal weblinks-5.x-1.8.tar.gz
  http://ftp.drupal.org/files/projects/weblinks-5.x-1.8.tar.gz

Drupal Weblinks Multiple Unspecified HTML Injection Vulnerabilities

References:

• Drupal Web Links Homepage (Drupal)
  
• Drupal Security Advisory SA-2007-028 (Drupal)