Drupal Advertisement Module Cross Site Scripting and Information Disclosure Vulnerabilities

Bugtraq ID:	53590
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	May 16 2012 12:00AM
Updated:	May 16 2012 12:00AM
Credit:	Andrew Berry
Vulnerable:	Drupal Advertisement 6.x-2.x
Not Vulnerable:	Drupal Advertisement 6.X-2.3 Drupal Advertisement 6.X-2.2

Drupal Advertisement Module Cross Site Scripting and Information Disclosure Vulnerabilities

Advertisement module for Drupal is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information.

Advertisement 6.x-2.x versions prior to 6.x-2.2 are vulnerable.

Drupal Advertisement Module Cross Site Scripting and Information Disclosure Vulnerabilities

Attackers can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting victim to follow a malicious URI.

Drupal Advertisement Module Cross Site Scripting and Information Disclosure Vulnerabilities

Solution:
Updates are available. Please see the references for details.

Drupal Advertisement Module Cross Site Scripting and Information Disclosure Vulnerabilities

References:

• Advertisement Homepage (Drupal)
  
• Drupal Homepage (Drupal)
  
• SA-CONTRIB-2012-77 - Advertisement - Cross Site Scripting & Information Disclosu (Drupal)