Open Upload Cross-Site Scripting and Arbitrary Code Execution Vulnerabilities

The Finder module for Drupal is prone to a cross-site-scripting vulnerability and an arbitrary-code execution vulnerability because the application fails to sufficiently sanitize user-supplied data.

Attackers can exploit these issues to execute arbitrary code in the context of the web server and steal cookie-based authentication credentials from legitimate users of the site. Other attacks are also possible.

Open Upload 0.4.2 is vulnerable; other versions may also be affected.


Privacy Statement
Copyright 2010, SecurityFocus