Drupal Tinytax taxonomy block Module HTML Injection Vulnerability

Bugtraq ID:	30069
Class:	Input Validation Error
CVE:	CVE-2008-3097
Remote:	Yes
Local:	No
Published:	Jul 02 2008 12:00AM
Updated:	May 07 2015 05:27PM
Credit:	Simon Rycroft
Vulnerable:	Drupal Tinytax taxonomy block 5.x-1.10
Not Vulnerable:	Drupal Tinytax taxonomy block 5.x-1.10-1

Drupal Tinytax taxonomy block Module HTML Injection Vulnerability

The Tinytax taxonomy block module for Drupal is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

This issue affects versions prior to Tinytax taxonomy block 5.x-1.10-1.

Drupal Tinytax taxonomy block Module HTML Injection Vulnerability

Attackers can exploit these issues via a browser.

Drupal Tinytax taxonomy block Module HTML Injection Vulnerability

Solution:
The vendor has released fixes. Please see the references for more information.

Drupal Tinytax taxonomy block Module HTML Injection Vulnerability

References:

• SA-2008-042 - Tinytax - Cross site scripting (Drupal)
  
• Vendor Homepage (Drupal)
  
• Tinytax taxonomy block Homepage (Drupal)