Drupal Security TeamDRUPAL-SA-CONTRIB-2012-008SA-CONTRIB-2012-008 - Video Filter - Cross Site Scripting
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
72.5%
CVE: CVE-2012-1634
The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display.
This vulnerability is mitigated by the fact that the attacker has to be able to either control the source of third party data (such as via DNS hijack) or manipulate it in transit.
Versions affected
- Video Filter 6.x-2.x and 6.x-3.x versions prior to 6.x-3.0.
- Video Filter 7.x-2.x and 7.x-3.x versions prior to 7.x-3.0.
Drupal core is not affected. If you do not use the contributed Video Filter module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Video Filter module for Drupal 6.x, upgrade to Video Filter 6.x-3.0
- If you use the Video Filter module for Drupal 7.x, upgrade to Video Filter 7.x-3.0
See also the Video Filter project page.
Reported by
Fixed by
- Justin Klein Keane
- Hans Nilsson, module maintainer
Coordinated by
- Dave Reid, Drupal Security Team member
References
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
72.5%