Main Vulnerability Database SB2014112006

SB2014112006 - Fedora EPEL 5 update for drupal6

Published: November 20, 2014 Updated: April 24, 2025

Security Bulletin ID SB2014112006

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2012-6662)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 when processing title attribute, which is not properly handled in the autocomplete combo box demo. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Session hijacking (CVE-ID: CVE-2014-9015)

The vulnerability allow a remore user to hijack a valid user's session.
The weakness exists due to specially crafted requests that gives a user access to another user's session and allows attacker to steal a random session.
Successful exploitation of this vulnerability may result in hijacking of the target user's session.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-4228