Red Hat Bugzilla – Bug 740553
CVE-2011-3373 drupal6-views_bulk_operations: XSS due improper escaping of a vocabulary help (SA-CONTRIB-2011-042)
Last modified: 2016-03-04 06:27:31 EST
The Drupal views module provides a flexible method for Drupal site designers to control how lists of content (nodes) are presented. The Views Bulk Operations (VBO) Drupal module module augments views by allowing bulk operations to be executed on the nodes displayed by a view. It does so by showing a check box in front of each node, and adding a select box containing operations that can be applied on the selected nodes.
It was found in the way Drupal Views Builk Operations (VBO) module did not escape the vocabulary help properly, when the vocabulary has had user tagging enabled and "Modify node taxonomy terms" action was used for modification of the taxonomy. A remote attacker could provide a specially-crafted URL, which once visited by unsuspecting Drupal user, disposing with the 'administer taxonomy' permission, could lead to arbitrary HTML or web script execution (cross-site scripting [XSS] attack).
Upgrage to 6.x-1.11:
This issue affects the versions of the drupal6-views_bulk_operations package, as shipped with Fedora release of 14 and Fedora release of 15. Please schedule an update.
This issue affects the versions of the drupal6-views_bulk_operations package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update.
Created drupal6-views_bulk_operations tracking bugs for this issue
Affects: fedora-all [bug 740555]
Affects: epel-all [bug 740556]
The CVE identifier of CVE-2011-3373 has been assigned to this issue:
drupal6-views_bulk_operations-1.11-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
drupal6-views_bulk_operations-1.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following updates: