====================================================================

                                CERT-Renater

                      Note d'Information No. 2012/VULN129
____________________________________________________________________

DATE                : 15/03/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running
                       Views Language Switcher for DRUPAL versions 7.x.

======================================================================
http://drupal.org/node/1482420
______________________________________________________________________

SA-CONTRIB-2012-038 - Views Language Switcher Cross Site Scripting (XSS)


    * Advisory ID: DRUPAL-SA-CONTRIB-2012-038
    * Project: Views Language Switcher (third-party module)
    * Version: 7.x
    * Date: 2012-March-14
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Cross Site Scripting

Description

The Views Language Switcher module enables you to provide
natively-formatted links that act as Views exposed filters for
i18n content being displayed by Views.
The module doesn't sufficiently filter the path output when a
user manually modifies the path and makes a new request.

This vulnerability can be exploited by anonymous users.


Versions affected

    * Views Language Switcher 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed
Views Language Switcher module, there is nothing you need to do.


Solution

Install the latest version:

    * If you use the Views Language Switcher module for Drupal 7.x,
upgrade to Views Language Switcher 7.x-1.2

See also the Views Language Switcher project page.


Reported by

    * Chris Ruppel

Fixed by

    * Chris Ruppel the module maintainer
    * Greg Knaddison of the Drupal Security Team

Coordinated by

    * Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org
or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and securing your site.


Categories: Drupal 7.x


======================================================================

=========================================================
Les serveurs de référence du CERT-Renater
http://www.cru.fr/securite
http://www.renater.fr
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================