BID:52787

Drupal Contact Save Module Unspecified Cross Site Scripting Vulnerability

Info

Drupal Contact Save Module Unspecified Cross Site Scripting Vulnerability

Bugtraq ID:	52787
Class:	Input Validation Error
CVE:	CVE-2012-2075
Remote:	Yes
Local:	No
Published:	Mar 29 2012 12:00AM
Updated:	Aug 16 2012 01:20PM
Credit:	Stella Power
Vulnerable:	Drupal Contact Save 6.x-1.x 0

Not Vulnerable:	Drupal Contact Save 6.x-1.5 0

Discussion

Drupal Contact Save Module Unspecified Cross Site Scripting Vulnerability

Contact Save module for Drupal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Contact Save 6.x-1.x versions prior to 6.x-1.5 are vulnerable.

Exploit / POC

Drupal Contact Save Module Unspecified Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

Solution / Fix

Drupal Contact Save Module Unspecified Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the reference for more details.

References

Drupal Contact Save Module Unspecified Cross Site Scripting Vulnerability

References:

SA-CONTRIB-2012-045 - AddToAny - Cross Site Scripting (Drupal)