=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN544
_____________________________________________________________________

DATE                      : 16/12/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Views for DRUPAL version 6.x prior to 6.x-2.12.

======================================================================
http://drupal.org/node/999380
______________________________________________________________________

SA-CONTRIB-2010-111 - Views - Cross Site Scripting
Posted by Drupal Security Team on December 15, 2010 at 8:46pm

    * Advisory ID: DRUPAL-SA-CONTRIB-2010-111
    * Project: Views (third-party module)
    * Version: 6.x
    * Date: 2010-December-15
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Multiple vulnerabilities

Description

The Views module provides a flexible method for Drupal site designers
to control how lists and tables of content are presented. Under certain
circumstances, Views could display parts of the page path without
escaping, resulting in a relected Cross Site Scripting (XSS)
vulnerability. An attacker could exploit this to gain full
administrative access.

Mitigating factors: This vulnerability only occurs with a specific
combination of configuration options for a specific View, but this
combination is used in the default Views provided by some additional
 modules. A malicious user would need to get an authenticated
administrative user to visit a specially crafted URL.

Versions affected

    * Views module for Drupal 6.x versions prior to 6.x-2.12

Drupal core is not affected. If you do not use the contributed
Views module, there is nothing you need to do.

Solution

Install the latest version:

    * If you use the Views module for Drupal 6.x upgrade to
Views 6.x-2.12

See also the Views project page.

Reported by

    * Alexander Kirienko

Fixed by

    * Earl Miles (merlinofchaos), module maintainer

Contact

The Drupal security team can be reached at security at drupal.org
or via the form at http://drupal.org/contact.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================