Bug 740553 (CVE-2011-3373) - CVE-2011-3373 drupal6-views_bulk_operations: XSS due improper escaping of a vocabulary help (SA-CONTRIB-2011-042)
Summary: CVE-2011-3373 drupal6-views_bulk_operations: XSS due improper escaping of a v...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-3373
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20110921,repor...
Depends On: 740555 740556
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-22 12:45 UTC by Jan Lieskovsky
Modified: 2019-06-08 18:55 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-10 07:53:58 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-09-22 12:45:42 UTC
The Drupal views module provides a flexible method for Drupal site designers to control how lists of content (nodes) are presented. The Views Bulk Operations (VBO) Drupal module module augments views by allowing bulk operations to be executed on the nodes displayed by a view. It does so by showing a check box in front of each node, and adding a select box containing operations that can be applied on the selected nodes.

It was found in the way Drupal Views Builk Operations (VBO) module did not escape the vocabulary help properly, when the vocabulary has had user tagging enabled and "Modify node taxonomy terms" action was used for modification of the taxonomy. A remote attacker could provide a specially-crafted URL, which once visited by unsuspecting Drupal user, disposing with the 'administer taxonomy' permission, could lead to arbitrary HTML or web script execution (cross-site scripting [XSS] attack).

References:
[1] http://drupal.org/node/1286844
[2] http://secunia.com/advisories/46114/

Upstream solution:
Upgrage to 6.x-1.11:
[3] http://drupal.org/node/1286778

Comment 1 Jan Lieskovsky 2011-09-22 12:48:01 UTC
This issue affects the versions of the drupal6-views_bulk_operations package, as shipped with Fedora release of 14 and Fedora release of 15. Please schedule an update.

--

This issue affects the versions of the drupal6-views_bulk_operations package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-09-22 12:55:42 UTC
CVE request:
[4] http://www.openwall.com/lists/oss-security/2011/09/22/4

Comment 3 Jan Lieskovsky 2011-09-22 12:57:44 UTC
Created drupal6-views_bulk_operations tracking bugs for this issue

Affects: fedora-all [bug 740555]
Affects: epel-all [bug 740556]

Comment 4 Jan Lieskovsky 2011-09-23 15:37:03 UTC
The CVE identifier of CVE-2011-3373 has been assigned to this issue:
[5] http://www.openwall.com/lists/oss-security/2011/09/23/1

Comment 5 Fedora Update System 2011-10-09 21:00:01 UTC
drupal6-views_bulk_operations-1.11-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2011-10-09 21:00:23 UTC
drupal6-views_bulk_operations-1.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Jan Lieskovsky 2011-10-10 07:53:58 UTC
This issue has been addressed in the following updates:
1) drupal6-views_bulk_operations-1.11-1.fc16,
2) drupal6-views_bulk_operations-1.11-1.fc15,
3) drupal6-views_bulk_operations-1.11-1.fc14,
4) drupal6-views_bulk_operations-1.11-1.el6,
5) drupal6-views_bulk_operations-1.11-1.el5.


Note You need to log in before you can comment on or make changes to this bug.