- Advisory ID: DRUPAL-SA-2006-016
- Project: E-commerce 4.7
- Date: 2006-Aug-22
- Security risk: less critical
- Exploitable from: remote
- Vulnerability: Multiple Cross site scripting
Description
It is possible for a malicious user with the 'create products' permission to insert and execute XSS (Cross Site Scripting), due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia.
The create products permission is configurable at administer >> access control. Revoking this permission should provide an immediate workaround.
Versions affected
Please check the CVS $Id$ fields in the file file/file.module of the E-commerce package to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable:
- $Id: file.module,v 1.37.2.4 2006/08/12 08:01:43 neclimdul Exp $
Drupal core is not affected. If you do not use the contributed E-commerce package, there is nothing you need to do.
Solution
Install the latest version:
See also the E-commerce project page.
Reported by
Kuai Hinojosa
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.