Drupal Security TeamDRUPAL-SA-CONTRIB-2012-070SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%
CVE: CVE-2012-2308
This module provides a page where you can see each content types you’ve selected under terms from vocabularies you’ve selected.
This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an attacker would need the ability to create or edit a vocabulary or term.
Versions affected
- 6.x-1.6 and before
Drupal core is not affected. If you do not use the contributed Taxonomy Grid : Catalog module, there is nothing you need to do.
Solution
Uninstall the module
Also see the Taxonomy Grid : Catalog project page.
Reported by
- Dylan Tack of the Drupal Security Team
Coordinated by
- Michael Hess of the Drupal Security Team
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%