aviso de Seguridad: ---- DRUPAL-SA-CONTRIB-2009-005 - VIEWS BULK OPERATIONS - CROSS SITE SCRIPTING

---- DRUPAL-SA-CONTRIB-2009-005 - VIEWS BULK OPERATIONS - CROSS SITE SCRIPTING
----

* Advisory ID: DRUPAL-SA-CONTRIB-2009-005

* Project: Views bulk operations (third-party module)

* Version: 5.x, 6.x

* Date: 2009 February 04

* Security risk: Less critical

* Exploitable from: Remote

* Vulnerability: Cross-site scripting (XSS)

---- DESCRIPTION ----

Views bulk operations augments Views by enabling bulk operations to be executed
on the content displayed by a view. Views bulk operations does not properly
escape user-supplied data on some pages, allowing malicious users to insert
arbitrary HTML and script code into these pages. Such a cross site scripting [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS) attack may lead to a
malicious user gaining full administrative access.

---- VERSIONS AFFECTED ----

* Versions of Views bulk operations for Drupal 5.x prior to 5.x-1.3

* Versions of Views bulk operations for Drupal 6.x prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed Views bulk
operations module, there is nothing you need to do.
---- SOLUTION ----

Install the latest version:

* If you use Views bulk operations for Drupal 5.x upgrade to Views bulk
operations 5.x-1.3 [ http://drupal.org/node/369244 ]

* If you use Views bulk operations for Drupal 6.x upgrade to Views bulk
operations 6.x-1.4 [ http://drupal.org/node/369243 ]

See also the Views bulk operations project page [
http://drupal.org/project/views_bulk_operations ].
---- REPORTED BY ----

Derek Wright (dww [ http://drupal.org/user/46549 ]) of the Drupal Security Team
[ http://drupal.org/security-team ].

---- CONTACT ----

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].