FreeBSD : drupal -- multiple XSS vulnerabilities (b2383758-5f15-11db-ae08-0008743bf21a)

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

The Drupal Team reports :

A bug in input validation and lack of output validation allows HTML
and script insertion on several pages.

Drupal's XML parser passes unescaped data to watchdog under certain
circumstances. A malicious user may execute an XSS attack via a
specially crafted RSS feed. This vulnerability exists on systems that
do not use PHP's mb_string extension (to check if mb_string is being
used, navigate to admin/settings and look under 'String handling').
Disabling the aggregator module provides an immediate workaround.

The aggregator module, profile module, and forum module do not
properly escape output of certain fields.

Note: XSS attacks may lead to administrator access if certain
conditions are met.

See also :

http://drupal.org/files/sa-2006-024/advisory.txt
http://drupal.org/drupal-4.7.4
http://www.nessus.org/u?ffd8731d

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 22888 (freebsd_pkg_b23837585f1511dbae080008743bf21a.nasl)

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now