Security updates for Drupal modules
The Drupal team has just released a whole heap of security advisories. Drupal's Email Input Filter, Keys and Tag Order modules all contain security vulnerabilities. Updated versions, in which the problems are fixed, are now available. Only Email Input Filter and Tag Order for Drupal 5 and 6 and Keys for Drupal 6 are affected.
The Drupal security team classifies the vulnerability in the Email Input Filter as critical, as it allows code to injected and executed on a server. Administrators who are affected by the problem should update to version 6.x-1.1 as soon as possible. The vulnerabilities in the Tag Order and Keys modules allow cross-site scripting and cross-site request forgeries respectively, meaning that attacks are directed against users rather than the server. Administrators should therefore also fix these vulnerabilities by installing the updates.
See also:
- Email Input Filter - Arbitrary code execution, Drupal security advisory.
- Tag Order - Cross Site Scripting, Drupal security advisory.
- Keys - Cross-site Request Forgery, Drupal security advisory.
(crve)