Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Fedora 10: 2009-8162 Moderate: drupal-date Module XSS Risk

fedora
Calendar Grey July 31, 2009
Dist Fedora Esm H88
Fedora Software Alert regarding the drupal-date module fixes critical XSS vulnerability. Update to version 6.x-2.3 to enhance your security.
* Advisory ID: DRUPAL-SA-CONTRIB-2009-046 * Project: Date (third-party module) * Version: 6.x * Date: 2009-July-29 * Security risk: Moderately critical * Exploitable fr...

Summary

The Date API is available to be used by other modules and is not dependent

on having CCK installed. The date module is a flexible date/time field

type for the cck content module which requires the CCK content.module and

the Date API module.

Update Information:

* Advisory ID: DRUPAL-SA-CONTRIB-2009-046 * Project: Date (third-party module) * Version: 6.x * Date: 2009-July-29 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting The Date module provides a date CCK field that can be added to any content type. The Date Tools module that is bundled with Date module does not properly escape user input when displaying labels for fields on a content type. A malicious user with the 'use date tools' permission of the Date Tools sub- module, or the 'administer content types' permission could attempt a cross site scripting [1] (XSS) attack when creating a new content type, leading to the user gaining full administrative access. -------- VERSIONS AFFECTED prior to 6.x-2.3 Drupal core is not affected. If you do not use the contributed Date module, there is nothing you need to do. -------- SOLUTION latest version: * If you use Date for Drupal 6.x upgrade to Date 6.x-2.3 [2] Note th...

Topics%20covered

Topics Covered

security advisory Fedora XSS cross site scripting package update moderate risk drupal-date

Change Log

* Wed Jul 29 2009 Jon Ciesla - 6.x.2.3-0 - Update to new version. - Fix for DRUPAL-SA-CONTRIB-2009-046. * Fri Jul 24 2009 Fedora Release Engineering - 6.x.2.0-2.rc4.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Tue Feb 24 2009 Fedora Release Engineering - 6.x.2.0-2.rc4.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Tue Nov 4 2008 Jon Ciesla - 6.x.2.0-2.rc4 - Update to new version.

References

Fedora Update Notification FEDORA-2009-8162 2009-07-31 17:30:53
Name : drupal-date Product : Fedora 10 Version : 6.x.2.3 Release : 0.fc10 URL : Summary : This package contains both the Date module and a Date API module Description : The Date API is available to be used by other modules and is not dependent on having CCK installed. The date module is a flexible date/time field type for the cck content module which requires the CCK content.module and the Date API module.

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update drupal-date' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
important
Lowest
Low
Medium
High
Critical

Name: drupal-date
Product: Fedora 10
Version: 6.x.2.3
Release: 0.fc10
URL:
Summary: This package contains both the Date module and a Date API module

Topics%20covered

Topics Covered

security advisory Fedora XSS cross site scripting package update moderate risk drupal-date

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here