Drupal Organic Groups Module Cross Site Scripting and Security Bypass Vulnerabilities UPDATED

Summary

The Organic Groups module for Drupal is prone to a cross-site scripting vulnerability and an security-bypass vulnerability.

Credit:

The original article can be found at: http://www.securityfocus.com/bid/53838
The information has been provided by Ezra Barnett Gildesgame and Fox.


Details

Vulnerable Systems:
 * Drupal Organic Groups 6.X-2.3 and prior

An attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials.
Attackers can exploit the security bypass issue to bypass security restrictions and obtain sensitive information, or perform unauthorized actions; this may aid in launching further attacks.

Vendor Status:
Vendor as issued an updated vulnerability.

Patch Availability:
http://drupal.org/node/1619810

CVE Information:
CVE-2012-2721

Disclosure Timeline:
Published:Jun 06 2012
Updated:Aug 07 2012

Categories: News