FreeBSD : drupal -- XSS (7a1ab8d4-35c1-11de-9672-0030843d3802)
Medium Nessus Plugin ID 38657
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionDrupal Security Team reports :
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.
SolutionUpdate the affected packages.