Drupal Wishlist Module Cross Site Scripting Vulnerability

Bugtraq ID:	52660
Class:	Input Validation Error
CVE:	CVE-2012-2069
Remote:	Yes
Local:	No
Published:	Mar 21 2012 12:00AM
Updated:	Sep 06 2012 10:09PM
Credit:	Justin Klein Keane
Vulnerable:	Drupal wishlist 7.x-2.5 Drupal wishlist 6.X-2.4
Not Vulnerable:	Drupal wishlist 7.x-2.6 Drupal wishlist 6.X-2.6

Drupal Wishlist Module Cross Site Scripting Vulnerability

The Wishlist Module for Drupal is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Following versions are vulnerable:

Wishlist 6.x-2.x versions prior to 6.x-2.6 are vulnerable.
Wishlist 7.x-2.x versions prior to 7.x-2.6 are vulnerable.

Drupal Wishlist Module Cross Site Scripting Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.

Drupal Wishlist Module Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for details.

Drupal Wishlist Module Cross Site Scripting Vulnerability

References:

• Drupal Language Switcher Dropdown Homepage (Drupal)
  
• SA-CONTRIB-2012-042 - Wishlist Cross Site Scripting (XSS) (Drupal)
  
• Wishlist Module Homepage (Drupal)