SA-CONTRIB-2012-006 XSS and CSRF in Multiple Modules - Supercron, Taxotouch, Admin:hover, Taxonomy Navigator no longer supported

CVE: CVE-2012-1628

SuperCron is a complete replacement for Drupal’s built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with “access administration pages” permission.

CVE: CVE-2012-1629

Taxotouch helps you navigate taxonomy. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.

CVE: CVE-2012-1630

Taxonomy Navigatorshows terms from a vocabulary. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.

CVE: CVE-2012-1631

Admin:hover allows admins to easily publish/unpublish nodes. The module is vulnerable to Cross Site Request Forgeries which would allow an attacker to trick an admin into executing enabled actions such as unpublishing all nodes.

Versions affected

All versions of all four modules are affected by vulnerabilities.

Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do.

Solution

Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Abandoned project process

Reported by

• The Supercron issue was prematurely disclosed publicly outside of the security issue reporting process
• Admin:hover issue reported by Ivo Van Geertruyen of the Drupal Security Team
• Taxotouch issue reported by Dylan Tack of the Drupal Security Team
• Taxonomy Navigator issue reported by Dylan Tack of the Drupal Security Team

Fixed by

No fixes created.