BlogsDave Keays's blog

Security Announcements for November 2008

Submitted by Dave Keays on Thu, 11/27/2008 - 03:32
Tags:
  • SA-2008-071 - USER KARMA
    There is an SQL injection and a CSS (cross-site-scripting) prior to 5.x-1.13 and 6.x-1.0 that could give a user control over an SQL database and user cookies.

    • SA-2008-070 - COMMENT MAIL
    There is a CSRF (cross-site-request-forgery) in Comment Mail for Drupal 5.x prior to 5.x-1.1 that allows end-users to administer permissions and ban IP addresses, deny a comment, or approve one.

  • SA-2008-069 - CCK
    The CCK (Content Construction Kit) has a XSS (cross site scripting) vulnerability in Drupal 5.x prior to 5.x-1.1 and 6.x-2.0.

    • Comments

    Post new comment

    The content of this field is kept private and will not be shown publicly.
    • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
    • Lines and paragraphs break automatically.
    • Image links from G2 are formatted for use with Lightbox2

    More information about formatting options