Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2012-006
- Projects: SuperCron, Taxotouch, Taxonomy Navigator, Admin:hover (third-party modules)
- Version: 6.x, 7.x
- Date: 2012-January-11
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Cross Site Request Forgery
Description
CVE: CVE-2012-1628
SuperCron is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission.
CVE: CVE-2012-1629
Taxotouch helps you navigate taxonomy. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.
CVE: CVE-2012-1630
Taxonomy Navigatorshows terms from a vocabulary. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.
CVE: CVE-2012-1631
Admin:hover allows admins to easily publish/unpublish nodes. The module is vulnerable to Cross Site Request Forgeries which would allow an attacker to trick an admin into executing enabled actions such as unpublishing all nodes.
Versions affected
All versions of all four modules are affected by vulnerabilities.
Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do.
Solution
Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Abandoned project process
Reported by
- The Supercron issue was prematurely disclosed publicly outside of the security issue reporting process
- Admin:hover issue reported by Ivo Van Geertruyen of the Drupal Security Team
- Taxotouch issue reported by Dylan Tack of the Drupal Security Team
- Taxonomy Navigator issue reported by Dylan Tack of the Drupal Security Team
Fixed by
No fixes created.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
