Drupal Security TeamDRUPAL-SA-CONTRIB-2012-088SA-CONTRIB-2012-088 - Mobile Tools - Cross Site Scripting (XSS)
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
73.8%
Mobile Tools provides Drupal developers with some tools to assist in making a site mobile.
The module contains several persistent cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize user supplied values before display.
CVE: CVE-2012-2717
Versions affected
- Mobile Tools 6.x-2.x versions prior to 6.x-2.3
Drupal core is not affected. If you do not use the contributed Mobile Tools module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Mobile Tools module for Drupal 6.x, upgrade to Mobile Tools 6.x-2.3
Also see the Mobile Tools project page.
Reported by
Fixed by
- Mathew Winstone (minorOffense) the module maintainer
Coordinated by
- Michael Hess of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
73.8%