Drupal Internationalization Module Cross Site Scripting Vulnerabilities

Bugtraq ID:	39304
Class:	Input Validation Error
CVE:	CVE-2010-1530
Remote:	Yes
Local:	No
Published:	Apr 07 2010 12:00AM
Updated:	Apr 13 2015 09:02PM
Credit:	Antonio Ospite
Vulnerable:	Drupal Internationalization 6.x 1.x-dev Drupal Internationalization 6.x 1.0-beta1 Drupal Internationalization 6.x-1.3 Drupal Internationalization 6.x-1.2
Not Vulnerable:	Drupal Internationalization 6.x-1.4

Drupal Internationalization Module Cross Site Scripting Vulnerabilities

The Internationalization module for Drupal is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Drupal Internationalization Module Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit these issues.

Drupal Internationalization Module Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references for details.


Drupal Internationalization 6.x-1.3

• Drupal i18n-6.x-1.4.tar.gz
  http://ftp.drupal.org/files/projects/i18n-6.x-1.4.tar.gz

Drupal Internationalization 6.x 1.x-dev

• Drupal i18n-6.x-1.4.tar.gz
  http://ftp.drupal.org/files/projects/i18n-6.x-1.4.tar.gz

Drupal Internationalization 6.x 1.0-beta1

• Drupal i18n-6.x-1.4.tar.gz
  http://ftp.drupal.org/files/projects/i18n-6.x-1.4.tar.gz

Drupal Internationalization 6.x-1.2

• Drupal i18n-6.x-1.4.tar.gz
  http://ftp.drupal.org/files/projects/i18n-6.x-1.4.tar.gz

Drupal Internationalization Module Cross Site Scripting Vulnerabilities

References:

• Drupal Homepage (Drupal)
  
• SA-CONTRIB-2010-034 - Internationalization - Cross Site Scripting (Drupal)