drupal-scheduler

2010-06-18

Page content

Author: Miklos Vajna
Vulnerable: 5.x_1.18-1
Unaffected: 5.x_1.19-1locris1

A vulnerability has been reported in the Scheduler module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Input passed via titles of unpublished nodes is not properly sanitised before being displayed to the users in the scheduled nodes overview list. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires “schedule (un)publishing of nodes” permissions.

Bug Tracker URL: http://bugs.frugalware.org/task/4228

CVEs:

No CVE, see http://drupal.org/node/810220