Drupal Content Creation Kit Module Multiple HTML Injection Vulnerabilities

Bugtraq ID:	31027
Class:	Input Validation Error
CVE:	CVE-2008-6972
Remote:	Yes
Local:	No
Published:	Sep 04 2008 12:00AM
Updated:	May 07 2015 05:24PM
Credit:	Peter Wolanin
Vulnerable:	Drupal Content Construction Kit (CCK) 5.0-1.7 Drupal Content Construction Kit (CCK) 5.0-1.6 Drupal Content Construction Kit (CCK) 5.0-1.5 Drupal Content Construction Kit (CCK) 5.0-1.4 Drupal Content Construction Kit (CCK) 5.0-1.3 Drupal Content Construction Kit (CCK) 5.0-1.2 Drupal Content Construction Kit (CCK) 5.0-1.1 Drupal Content Construction Kit (CCK) 5.0-1.0
Not Vulnerable:	Drupal Content Construction Kit (CCK) 5.0-1.8

Drupal Content Creation Kit Module Multiple HTML Injection Vulnerabilities

The Content Creation Kit (CCK) module for Drupal is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

These issues affect versions prior to CCK 5.x-1.8.

Drupal Content Creation Kit Module Multiple HTML Injection Vulnerabilities

Attackers can exploit these issues via a browser.

Drupal Content Creation Kit Module Multiple HTML Injection Vulnerabilities

Solution:
The vendor has released fixes. Please see the references for more information.

Drupal Content Creation Kit Module Multiple HTML Injection Vulnerabilities

References:

• CCK Project Page (CCK)
  
• SA-2008-048 - CCK - Cross site scripting (Drupal)
  
• Vendor Homepage (Drupal)