=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN276
_____________________________________________________________________

DATE                      : 29/07/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Dashboard for DRUPAL version 6.x
                                                 prior to 6.x-2.1.

======================================================================
http://drupal.org/node/867426
______________________________________________________________________


SA-CONTRIB-2010-076 - Dashboard - Cross Site Scripting (CSS)
Security advisories for contributed projects · Drupal 6.x
Drupal Security Team - July 28, 2010 - 16:11

    * Advisory ID: SA-CONTRIB-2010-076
    * Project: Dashboard (third-party module)
    * Version: 6.x
    * Date: 2010-July-28
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Cross Site Scripting

Description:

The dashboard module allows users to create a personalized set of pages of
widgets created from existing blocks and nodes (like iGoogle).

The module does not escape user generated names for tags & titles associated
with default widgets that are added to a user dashboard page, leading to a
Cross Site Scripting (XSS) vulnerability. Users with the permission to access
or create default dashboard widgets is vulnerable to attack. A malicious user
needs the permission "administer dashboard defaults" to exploit the vulnerability.

Versions affected:

    * Dashboard module for Drupal 6.x versions prior to 6.x-2.1

Drupal core is not affected. If you do not use the contributed Dashboard module,
there is nothing you need to do.

Solution:

Install the latest version:

    * Upgrade to Dashboard 6.x-2.1

See also the Dashboard project page.

Reported by:

    * Greg Knaddison (greggles) a member of the Drupal Security Team

Fixed by:

    * Chris Miller, module maintainer
    * Greg Knaddison (greggles) a member of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================