Exposed Filter Data - Cross Site Scripting (XSS)
Posted by Drupal Security Team on September 5, 2012 at 7:29pm

    Advisory ID: DRUPAL-SA-CONTRIB-2012-138
    Project: Exposed Filter Data (third-party module)
    Version: 6.x
    Date: 2012-September-05
    Security risk: Critical
    Exploitable from: Remote
    Vulnerability: Cross Site Scripting

Description

The Exposed Filter Data facilitates displaying data posted to Views via an exposed filter. The module does not properly sanitize user-supplied data prior to output, leading to a Cross-Site Scripting (XSS) vulnerability.

CVE: Requested
Versions affected

    Exposed Filter Data 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Exposed Filter Data module, there is nothing you need to do.
Solution

Install the latest version:

    If you use the Exposed Filter Data module for Drupal 6.x, upgrade to Exposed Filter Data 6.x-1.2.
    The 7.x-1.x branch is not vulnerable. If you use Exposed Filter Data for Drupal 7.x, there is nothing you need to do.

Also see the Exposed Filter Data project page.
Reported by

    Joe Tsui
    ekes

Fixed by

    Shushu Inbar, the module maintainer

Coordinated by

    Michael Hess (mlhess) of the Drupal Security Team
    Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.