'[CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module
From:       ali.hussein () helpag ! com
Date:       2014-01-23 19:00:12
Message-ID: 201401231900.s0NJ0C25028466 () sf01web1 ! securityfocus ! com
[Download RAW message or body]

Advisory ID: hag2014101
Product: EventCalendar 
Vendor: Drupal
Vulnerable Version(s): Drupal 7.14 and probably newer version
Tested Version: Drupal 7.14
Advisory Publication: January 23, 2014 
Vendor Notification: November 20, 2013 
Public Disclosure: January 23, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-1607
Risk Level: Medium 
CVSSv2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution not yet released
Discovered and Provided: help AG Middle East

------------------------------------------------------------------------

-----------------------

about the vendor:
Drupal is an open source content management platform powering millions of websites \
and applications. It’s built, used, and supported by an active and diverse community \
of people around the world. Advisory Details:

During a Pentest Help AG auditors(Ali & Khalilov) discovered the following:
Reflected cross-site scripting (XSS) vulnerability in Drupal 7.14 EventCalendar \
Module, found in eventcalendar/year  allows remote attackers to inject arbitrary web \
scripts or HTML after the inproperly sanitizited Year Parameter an adversary might \
use this vulnerability, an onmouseover payload was injected after the year which gets \
executed succssfully.  1) Cross-Site Scripting (XSS) in Mediatrix Web Management \
Interface: CVE-2014-1612

As proof of concept, one needs to access the following URL on a \
eventcalander/2013%22%20onmouseover%3dalert%28%27XSSed%27%29%20bad%3d%22 on the \
vulnerable website

Hackers could craft malicious URLs and send them and use them to steal cookies \
                properly compromise the application. 
------------------------------------------------------------------------

-----------------------

Solution:

The vendor was notified, contact the vendor for the patch details

------------------------------------------------------------------------

-----------------------

References:

[1] help AG middle East http://www.helpag.com/.
[2] Drupal https://drupal.org/
[3]
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - \
international in scope and free for public use, CVE ® is a dictionary of publicly \
known information security vulnerabilities and exposures. [5] Common Weakness \
Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security \
practitioners, CWE is a formal list of software weakness types.

------------------------------------------------------------------------

-----------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic