BID:52499

Drupal Language Icons Module Cross Site Scripting Vulnerability

Info

Drupal Language Icons Module Cross Site Scripting Vulnerability

Bugtraq ID:	52499
Class:	Input Validation Error
CVE:	CVE-2012-2065
Remote:	Yes
Local:	No
Published:	Mar 14 2012 12:00AM
Updated:	Mar 19 2015 07:35AM
Credit:	Jose Reyero and Frederik "Freso" S. Olesen
Vulnerable:	Drupal Language Icons 7.x-1.0-rc1 Drupal Language Icons 6.X-2.0

Not Vulnerable:	Drupal Language Icons 7.x-1.0 Drupal Language Icons 6.X-2.1

Discussion

Drupal Language Icons Module Cross Site Scripting Vulnerability

Language Icons module for Drupal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Exploit / POC

Drupal Language Icons Module Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

Solution / Fix

Drupal Language Icons Module Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for more details.

References

Drupal Language Icons Module Cross Site Scripting Vulnerability

References:

Drupal Homepage (Drupal)
SA-CONTRIB-2012-039 - Language Icons - Cross Site Scripting (XSS) (Jose Reyero)