Security update for CMS Drupal
New versions of Drupal, an open source content management system, are intended to remove three errors through which attackers could sneak arbitrary JavaScript code on to users' systems. The cross-site scripting vulnerability is related to a hole in the XML parser as well as the aggregator, profile, und forum modules. Attackers could spy on user data, among other actions. The flaw has been removed in version 4.6.10 and 4.7.4. The developers are also releasing patches. These remove not only the XSS vulnerabilities, but also several not-security related flaws.
- Drupal 4.7.4 and 4.6.10 released, advisory from Drupal.org
(ehe)