SA-CONTRIB-2009-055 - BUEditor - Cross Site Scripting

By Drupal Security Team on 9 Sep 2009 at 16:50 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2009-055
Project: BUEditor (third-party module)
Version: 5.x, 6.x
Date: 2009 September 9
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting

Description

The BUEditor module provides a plain textarea editor designed to facilitate code writing.

The module suffers from a Cross Site Scripting (XSS) vulnerability, which allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page using the Live preview feature of BUEditor.

Versions affected

BUEditor versions 6.x prior to 6.x-1.4
BUEditor versions 5.x prior to 5.x-1.2

Drupal core is not affected. If you do not use the contributed BUEditor module there is nothing you need to do.

Solution

Install BUEditor module version 6.x-1.4
Install BUEditor module version 5.x-1.2

Reported by

Reported by Derek Wright of the Drupal security team, fixed by Ufuk Bayburt.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

SA-CONTRIB-2009-055 - BUEditor - Cross Site Scripting

Description

Versions affected

Solution

Reported by

Contact

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community