Application: CMS Source
Affected Version: version 3.0 and other versions.
Vendor’s URL: CMS Source
Bug Type: Cross Site Scripting and SQL Injection
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitised and verified.

Content Management, Cross Site Scripting, SQL Injection

Application: Joomla!
Affected Version: version 1.0 and other versions.
Vendor’s URL: cgTestimonial Component
Bug Type: Cross Site Scripting and File Upload
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised. Restrict access to the components/com_cgtestimonial/user_images directory (e.g. via .htaccess)

Content Management, Cross Site Scripting, File Inclusion

Application: Joomla
Affected Version: versions prior to 2.1.2.
Vendor’s URL: Frei-Chat Component
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 2.1.2.

Content Management, Cross Site Scripting

Application: WordPress
Affected Version: Version 2.62 and other versions
Vendor’s URL: WP-UserOnline Plugin
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 2.70 or later.

Content Management, Cross Site Scripting

Application: Joomla
Affected Version: version 1.2 and other versions.
Vendor’s URL: JFaq Component
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Application: Moodle
Affected Version:
Vendor’s URL: Moodle
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 1.8.13 or 1.9.9 or apply patches (see vendor’s advisories for details).

Content Management, Cross Site Scripting

Application: Joomla
Affected Version: version 1.0 and other versions.
Vendor’s URL: My Car Component
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: versions prior to 6.x-1.2.
Vendor’s URL: AddonChat Module
Bug Type: Security Bypass and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 6.x-1.2.

Access Bypass, Content Management, Cross Site Scripting

Application: Drupal
Affected Version: versions prior to 6.x-1.4.
Vendor’s URL: Chaos Tool Suite Module
Bug Type: Cross Site Scripting and Access Bypass
Risk Level: Critical

Solution:
Update to version 6.x-1.4

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: versions prior to 6.x-4.9.
Vendor’s URL: Heartbeat Module
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to Heartbeat 6.x-4.9.

Content Management, Cross Site Scripting

Application: Invision Power Board
Affected Version: version 2.3.6 and 3.0.5
Vendor’s URL: Invision Power Board
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Apply the patch.

Original Advisory:
http://community.invisionpower.com/topic/306221-ipboard-236-and-305-security-update/

Cross Site Scripting, Discussion Boards

Application: Drupal
Affected Version: versions prior to 6.x-1.1.
Vendor’s URL: CiviRegister Module
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 6.x-1.1.

Content Management, Cross Site Scripting

Application: Joomla!
Affected Version: version 0.9.1
Vendor’s URL: DJ-Classifieds Component
Bug Type: Cross Site Scripting and File Upload
Risk Level: Critical

Solution:
Grant only trusted users access to the affected component.

Content Management, Cross Site Scripting, File Inclusion

Application: CMS SiteLogic
Affected Version:
Vendor’s URL: CMS SiteLogic
Bug Type: Cross-Site Scripting and SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting, SQL Injection

Application: Xoops
Affected Version: version 2.4.2 and prior versions.
Vendor’s URL: Xoops
Bug Type: Cross Site Scripting and SQL Injection
Risk Level: Medium

Solution:
Update to version 2.4.3.

Content Management, Cross Site Scripting, SQL Injection

Application: Wordpress
Affected Version: version 3.2.4 and other versions
Vendor’s URL: Google Analytics Plugin
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 3.2.5.

Content Management, Cross Site Scripting

Application: WordPress
Affected Version: version 2.8.5
Vendor’s URL: WordPress
Bug Type: File Upload and Script Insertion
Risk Level: Medium

Solution:
Update to version 2.8.6.

Access Bypass, Content Management, Cross Site Scripting

Application: Drupal
Affected Version: prior to version 5.x-1.1 and 6.x-1.1.
Vendor’s URL: Browscap Module
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Browscap 5.x:
Update to Browscap 5.x-1.1
http://drupal.org/node/592262

Browscap 6.x:
Update to Browscap 6.x-1.1
http://drupal.org/node/592264

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: versions prior to 6.14.
Vendor’s URL: Drupal
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 6.14 or apply the patch.

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: versions prior to 5.x-1.2 and 6.x-1.4.
Vendor’s URL: BUEditor Module
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 5.x-1.2 or 6.x-1.4.

Content Management, Cross Site Scripting