SB20200114119 - Multiple vulnerabilities in SuperTux data

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2011-2714)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.

2) SQL injection (CVE-ID: CVE-2011-2715)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Remediation

Install update from vendor's website.

References

• https://seclists.org/fulldisclosure/2011/Feb/219
• https://www.drupal.org/node/1056470
• https://www.openwall.com/lists/oss-security/2011/07/26/8