SB2014112010 - Fedora 21 update for drupal7

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2012-6662)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 when processing title attribute, which is not properly handled in the autocomplete combo box demo. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Session hijacking (CVE-ID: CVE-2014-9015)

The vulnerability allow a remore user to hijack a valid user's session.
The weakness exists due to specially crafted requests that gives a user access to another user's session and allows attacker to steal a random session.
Successful exploitation of this vulnerability may result in hijacking of the target user's session.

3) Denial of service (CVE-ID: CVE-2014-9016)

The vulnerability allows a remote user to cause denial of service on the target system.
The weakness exists due to CPU and memory exhaustion. Specially crafted and sent by the attackers requests may lead to site unavailability.
Successful exploitation of this vulnerability may result in denial of service on the vulnerable system.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2014-15583