HomeBlogsDave Keays's blog

Drupal SA's for September 2008

Wed, 09/24/2008 - 06:02 — Dave Keays

There have been 5 Drupal security announcements for September 2008 about 3rd party modules with Cross-Site-Scripting vulnerabilities in them.

The Drupal core is not affected in any of these cases so updating the module would be adequate in all but one situation. See DRUPAL-SA-2008-048-b for more information.

  • "Answers" module (all Drupal 5.x versions)
    DRUPAL-SA-2008-053
  • "Link To Us" module (5.x prior to 5.x-1.1 and 6.x-dev)
    DRUPAL-SA-2008-052
  • Mailsave module (5.x prior to 5.x-3.3 and 6.x prior to 6.x-1.3)
    DRUPAL-SA-2008-051
  • Mailhandler module (5.x prior to 5.x-1.4 and 6.x prior to 6.x-1.4)
    DRUPAL-SA-2008-050
  • CCK module (5.x prior to 5.x-1.9)
    DRUPAL-SA-2008-048-b
    NOTE 1: SA-2008-048 stated the vulnerable versions were prior to 5.x-1.8 this SA updates them to 5.x-1.9
    NOTE 2: If your theme uses field templates, you will need to manually change the
    function phptemplate_field or THEME_NAME_field in your theme's template.php:

    from:
    'label' => t($field['widget']['label']),
    to:
    'label' => check_plain(t($field['widget']['label']))

  • PluginManager module (Drupal 6.x prior to 6.x-1.2)DRUPAL-SA-2008-054
  • Stock module (Drupal 6.x prior to 6.x-1.0)
    DRUPAL-SA-2008-055
  • Simplenews module (Drupal 5.x prior to 6.x-1.5, 6.x prior to 6.x-1.0-beta4)
    DRUPAL-SA-2008-056
  • Ajax checklist module (Drupal 5.x prior to 5.x-1.1)
    DRUPAL-SA-2008-057

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options