FreeBSD : drupal -- Multiple XSS vulnerabilities (1f5b711b-3d0e-11dc-b3d3-0016179b2dd5)
High Nessus Plugin ID 25803
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionThe Drupal Project reports :
Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website.
Custom content type names are not escaped consistently. A malicious user with the 'administer content types' permission would be able to inject and execute arbitrary HTML and script code on the website.
Revoking the 'administer content types' permission provides an immediate workaround.
SolutionUpdate the affected packages.