Drupal Security TeamDRUPAL-SA-CONTRIB-2012-062SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS)
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%
CVE: CVE-2012-2297
The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer creative commons”.
Versions affected
- Creative Commons 6.x-1.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed Creative Commons module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Creative Commons module for Drupal 6.x, upgrade to Creative Commons 6.x-1.1
Also see the Creative Commons project page.
Reported by
Fixed by
- Kevin Reynen the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
References
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%