• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Drupal Taxonomy Autotagger Module Multiple Input Validation Vulnerabilities

The Taxonomy Autotagger module for the Drupal CMS is prone to an SQL-injection issue and an HTML-injection issue.

The SQL-injection vulnerability occurs because the software fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The HTML-injection vulnerability occurs because the sofware fails to properly sanitize posts by users before returning them to the browser. Exploiting this issue could allow the attacker to inject hostile HTML and script code into vulnerable sections of the application. When viewed, this code may be rendered in the browser of a user visiting the affected site in the context of that site.

Versions prior to Taxonomy Autotagger 5.x-1.8 are vulnerable.