Application: Drupal
Affected Version: prior to 5.x-3.3 and prior to 6.x-1.3.
Vendor’s URL: Mailsave Module
Bug Type: Script Insertion
Risk Level: Cross Site Scripting
Solution:
Update to version 5.x-3.3 or 6.x-1.3.
Archive for September, 2008
Drupal Mailsave Module MIME Type Script Insertion
Published by September 22nd, 2008 in Content Management and Cross Site Scripting.Drupal Talk Module Script Insertion and Security Bypass
Published by September 22nd, 2008 in Access Bypass, Content Management and Cross Site Scripting.Application: Drupal
Affected Version: prior to 5.x-1.3 and prior to 6.x-1.5.
Vendor’s URL: Talk Module
Bug Type: Script Insertion and Security Bypass
Risk Level: Cross Site Scripting, Security Bypass
Solution:
Update to version 5.x-1.3 or 6.x-1.5.
Application: Drupal
Affected Version: version 5.x-1.0.
Vendor’s URL: Link To Us Module
Bug Type: Script Insertion
Risk Level: Critical
Solution:
Update to version 5.x-1.1.
Application: Joomla!
Affected Version: prior to version 1.5.7.
Vendor’s URL: Joomla!
Bug Type:
Risk Level: Critical
Solution:
Update to version 1.5.7.
DotNetNuke Multiple Vulnerabilities
Published by September 22nd, 2008 in Access Bypass and Content Management.Application: DotNetNuke
Affected Version: versions 4.4.1 - 4.8.4 or versions 2.0 - 4.8.4.
Vendor’s URL: DotNetNuke
Bug Type: Security Bypass
Risk Level: Critical
Solution:
Update to version 4.9.0.
Application: WordPress
Affected Version: prior to 2.6.2.
Vendor’s URL: Wordpress
Bug Type:
Risk Level: Critical
Solution:
Update to version 2.6.2.
D-iscussion Board Local File Inclusion
Published by September 22nd, 2008 in Discussion Boards and File Inclusion.Application: D-iscussion Board
Affected Version: version 3.01
Vendor’s URL: D-iscussion Board
Bug Type: File Inclusion
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly verified.
Invision Power Board Multiple Vulnerabilities
Published by September 22nd, 2008 in Discussion Boards and SQL Injection.Application: Invision Power Board
Affected Version: 2.2.x versions and all 2.3.x versions, inclusive of 2.3.5.
Vendor’s URL: Invision Power Board
Bug Type: SQL injection
Risk Level: Critical
Solution:
Apply the vendor’s official patch, which fixes vulnerability #1:
http://forums.invisionpower.com/index.php?showtopic=276512
Do not select “Switch between standard and rich text editor”. Do not import untrusted language files.
Drupal Content Construction Kit Script Insertion
Published by September 22nd, 2008 in Content Management and Cross Site Scripting.Application: Drupal
Affected Version: prior to 5.x-1.8.
Vendor’s URL: Content Construction Kit
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Update to CCK 5.x-1.9
Application: webEdition CMS
Affected Version:
Vendor’s URL: webEdition CMS
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitised.
Xoops PopnupBlog Module XSS
Published by September 22nd, 2008 in Content Management and Cross Site Scripting.Application: Xoops
Affected Version: version 3.20
Vendor’s URL: PopnupBlog Module
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: Drupal
Affected Version: prior to 5.x-1.4 or prior to 6.x-1.4
Vendor’s URL: Mailhandler Module
Bug Type: SQL injection
Risk Level: Critical
Solution:
Update to version 5.x-1.4 or 6.x-1.4.
