FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal6 -- multiple vulnerabilities

Affected packages
drupal6 < 6.22


VuXML ID 1acf9ec5-877d-11e0-b937-001372fd0af2
Discovery 2011-05-25
Entry 2011-05-26

Drupal Team reports:

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin / settings / error-reporting. This is the recommended setting for production sites.

When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission.