SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities

The XSS issue is:
CVE: CVE-2012-2078
The CSRF issue is:
CVE: CVE-2012-2079

The Activity module keeps track of the things people do on your site and provides mini-feeds of these activities in blocks, in a specialized table, and via RSS. The module is extensible so that any other module can integrate with it. The messages that are produced are customizable via the admin interface and are context sensitive.

The 6.x-1.x branch of the module does not filter output of the module settings correctly leading to a cross site scripting vulnerability (XSS). It also does not confirm user intent when removing a single activity resulting in a cross site request forgery vulnerability.

The XSS vulnerability is mitigated by the fact that it requires the malicious user to have a role with the “access administration pages” and “administer activity” permissions.

Versions affected

• All releases of the 6.x-1.x branch

Drupal core is not affected. If you do not use the contributed Activity module, there is nothing you need to do.

Solution

Install the latest version:

• The 6.x-1.x branch of this module is no longer supported. Upgrade to 6.x-2.0-alpha1

Note that there is currently no upgrade path. Users of the module are encouraged to work in the module queue to help build an upgrade path. Also see the Activity project page.

Reported by

• Ivo Van Geertruyen of the Drupal Security Team
• Justin Klein Keane

Coordinated by

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team