---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Drupal Simplenews Statistics Module Multiple Vulnerabilities SECUNIA ADVISORY ID: SA37128 VERIFY ADVISORY: http://secunia.com/advisories/37128/ DESCRIPTION: Some vulnerabilities and a weakness have been reported in the Simplenews Statistics module for Drupal, which can be exploited by malicious people to conduct cross-site scripting, cross-site request forgery, and spoofing attacks. 1) Certain input passed to unspecified parameters in not properly sanitised before being displayed to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) The module allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests, which can be exploited to e.g. hijack accounts of other logged in users. 3) A weakness is caused due the module using certain parameters to redirect users without validation. This can be exploited to e.g. redirect a user to visit a malicious site. The vulnerabilities and the weakness are reported in versions prior to 6.x-2.0. SOLUTION: Update to version 6.x-2.0. http://drupal.org/node/590098 PROVIDED AND/OR DISCOVERED BY: 1) and 2) The vendor credits Dylan Wilder-Tack. 3) The vendor credits John Pettitt. ORIGINAL ADVISORY: SA-CONTRIB-2009-080: http://drupal.org/node/611002 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------