By heine on
- Advisory ID: DRUPAL-SA-2008-019
- Project: Refine by Taxonomy (third-party module)
- Version: 5.x
- Date: 2008-March-05
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
Refine by Taxonomy is a module that provides a taxonomy browsing user interface.
Taxonomy terms are not escaped before display, making it possible to inject arbitrary HTML and script code into pages which contain the Refine by Taxonomy feature. This may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia.
Versions affected
- Refine by Taxonomy for Drupal 5.x before Refine by Taxonomy 5.x-0.1
Drupal core is not affected. If you do not use the contributed Refine by Taxonomy module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal 5.x upgrade to Refine by Taxonomy 5.x-0.1.
See also the Refine by Taxonomy project page.
Reported by
The Refine by Taxonomy maintainer, Bèr Kessels.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
