CCK Vulnerability

Hi everyone,

I just wanted to be sure everyone heard about the security vulnerability that was found and patched in CCK:

The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.

Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to themalicious user gaining full administrative access.

This is only an issue if you need any role separation between administrators and users with the "administer content" permission.

------------VERSIONS AFFECTED------------

• CCK for Drupal 5.x prior to 5.x-1.10
• CCK for Drupal 6.x prior to 6.x-2.0 (including all RC releases)

Drupal core is not affected. If you do not use the contributed CCK module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

• For Drupal 5.x, install CCK 5.x-1.10 [ http://drupal.org/node/330570 ]
• For Drupal 6.x, install CCK 6.x-2.0 [ http://drupal.org/node/330573 ]

See also the CCK project page [ http://drupal.org/project/cck ].