Drupal Views Language Switcher Module Cross Site Scripting Vulnerability

Bugtraq ID:	52497
Class:	Input Validation Error
CVE:	CVE-2012-2064
Remote:	Yes
Local:	No
Published:	Mar 14 2012 12:00AM
Updated:	Mar 08 2015 04:04PM
Credit:	Chris Ruppel
Vulnerable:	Drupal Views Language Switcher 7.x-1.1
Not Vulnerable:	Drupal Views Language Switcher 7.x-1.2

Drupal Views Language Switcher Module Cross Site Scripting Vulnerability

Views Language Switcher module for Drupal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to Views Language Switcher 7.x-1.2 are vulnerable.

Drupal Views Language Switcher Module Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

Drupal Views Language Switcher Module Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for more details.

Drupal Views Language Switcher Module Cross Site Scripting Vulnerability

References:

• Drupal Homepage (Drupal)
  
• Views Language Switcher Homepage (Drupal)
  
• SA-CONTRIB-2012-038 - Views Language Switcher Cross Site Scripting (XSS) (Chris Ruppel)