Drupal Panels Module Unspecified HTML Injection Vulnerability

Bugtraq ID:	51568
Class:	Input Validation Error
CVE:	CVE-2012-0914
Remote:	Yes
Local:	No
Published:	Jan 19 2012 12:00AM
Updated:	Mar 08 2015 04:04PM
Credit:	Justin Klein Keane
Vulnerable:	Drupal panels 6.x-3.9 Drupal panels 6.x-3.8 Drupal panels 0
Not Vulnerable:	Drupal panels 6.x-3.10

Drupal Panels Module Unspecified HTML Injection Vulnerability

The Panels module for Drupal is prone to an unspecified HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Panels module for Drupal versions 6.x-2.x prior to 6.x-3.10 are vulnerable.

Drupal Panels Module Unspecified HTML Injection Vulnerability

Attackers can use a browser to exploit this issue.

Drupal Panels Module Unspecified HTML Injection Vulnerability

Solution:
Updates are available. Please see the references for more details.

Drupal Panels Module Unspecified HTML Injection Vulnerability

References:

• Drupal Homepage (Drupal)
  
• Drupal Panels Module (Drupal)
  
• SA-CONTRIB-2012-011 - Panels - Cross Site Scripting (XSS) (Drupal)