24 October 2008, 10:42
Holes in Drupal CMS closed
Drupal's developers have released versions 6.6 and 5.12 of the Drupal CMS which address a number of vulnerabilities. Among them is a hole which allows attackers to inject and execute scripts and elevate their system access rights this way. The hole can only be exploited on web servers that incorporate a number of virtual host presences.
The developers also removed a Cross Site Scripting hole in the handling of the title in book pages. Users are strongly advised to install the update. Another advisory describes a Cross Site Scripting hole in a language localisation module. An updated module fixes this hole.
See also:
- Drupal 6.6 and 5.12 released, announcement at Drupal.org
- Drupal core - Multiple vulnerabilities, advisory at Drupal.org
(djwm)
Print Version | Send by email
| Permalink: http://h-online.com/-737771
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
