CVE-2008-3095

Vulnerability

The Organic Groups module for Drupal versions 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1 contains a cross-site scripting (XSS) vulnerability. The module displays certain user-supplied values without proper filtering, allowing malicious group owners to inject arbitrary HTML and script code. The attack requires that audience checkboxes are disabled (enabled by default) and the site allows untrusted users to create groups [1].

Exploitation

An attacker must be an authenticated user with group owner permissions. They create a group and convince other users to join. When a victim attempts to start a new discussion in the group, the injected script executes. The attack does not require user interaction beyond joining the group and initiating a discussion [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML, which can lead to administrator access for the malicious user. The XSS can be used to steal session cookies, perform actions on behalf of the victim, or escalate privileges within the Drupal site [1].

Mitigation

The vulnerability is fixed in Organic Groups 5.x-7.3 for Drupal 5.x and 6.x-1.0-RC1 for Drupal 6.x. Users should upgrade to these versions and run update.php. No workarounds are provided in the advisory [1].