=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN257
_____________________________________________________________________

DATE                      : 27/06/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Suggested terms with DRUPAL.

======================================================================
http://drupal.org/node/274919
______________________________________________________________________

-------------SA-2008-039 - SUGGESTED TERMS - CROSS SITE SCRIPTING---
---------

   * Advisory ID: SA-2008-039

   * Project: Suggested terms (third-party module)

   * Versions: 5.x

   * Date: 2008-June-25

   * Security risk: Moderately critical

   * Exploitable from: Remote

   * Vulnerability: Cross site scripting

- ------------DESCRIPTION------------

This module provides "suggested terms" for free-tagging Taxonomy fields
based on terms already submitted. Taxonomy terms as presented in the
clickable list are not properly sanitized. Users who are able to create
new terms are able to insert arbitrary script code and HTML into certain
edit pages. This may lead to administrator access.

- ------------VERSIONS AFFECTED------------

   * Suggested terms 5.x releases prior to 5.x-1.2.

Drupal core is not affected. If you do not use the contributed Suggested
terms module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

   * If you currently use Suggested terms 5.x, upgrade to Suggested terms
5.x-1.2 [ http://drupal.org/node/274905 ].

See also the Suggested terms project page [
http://drupal.org/project/suggestedterms ].

- ------------REPORTED BY------------

This issue was reported by Erich C. Beyrent.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org
or via the form at [ http://drupal.org/contact ].


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================