Joe Baker

• Advisory ID: DRUPAL-SA-2006-004
• Project: Drupal core
• Date: 2006-03-13
• Security risk: moderately critical
• Impact: security bypass
• Where: from remote
• Vulnerability: mail header injection attack

read more

• Advisory ID: DRUPAL-SA-2006-003
• Project: Drupal core
• Date: 2006-03-13
• Security risk: less critical
• Impact: hijacking
• Where: from remote
• Vulnerability: session fixation attack

read more

• Advisory ID: DRUPAL-SA-2006-002
• Project: Drupal core
• Date: 2006-03-13
• Security risk: less critical
• Impact: cross-site scripting
• Where: from remote
• Vulnerability: cross-site scripting

read more

• Advisory ID: DRUPAL-SA-2006-001
• Project: Drupal core
• Date: 2006-03-13
• Security risk: less critical
• Impact: security bypass
• Where: from remote
• Vulnerability: bypass access control

read more

Someone under the pseudonym "Liz0ziM" sent a false security alarm to BugTraq without first contacting the security team: http://www.securityfocus.com/archive/1/420671/30/0/threaded This vulnerability is fixed in Drupal 4.5.6, 4.6.4 and onwards. Drupal's new XSS filter mechanism takes care of all vulnerabilities listed on http://ha.ckers.org/xss.html (and even more). If you have already updated to at least 4.5.6 / 4.6.4 then you are safe and you do not need to take any action. If you have not updated yet, then we advise you again to do so ASAP.