CVE-2010-1546

Name of the Vulnerable Software and Affected Versions Chaos Tool Suite (aka CTools) module versions prior to 6.x-1.4

Description The issue concerns multiple eval injection vulnerabilities in the import functionality of the Chaos Tool Suite module for Drupal. These vulnerabilities allow remote authenticated users with "administer page manager" privileges to execute arbitrary PHP code via input to a text area. The vulnerabilities are related to the page manager page import subtask validate function in page manager/plugins/tasks/page.admin.inc and the page manager handler import validate function in page manager/page manager.admin.inc.

Recommendations For Chaos Tool Suite (aka CTools) module versions prior to 6.x-1.4, update to version 6.x-1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the import functionality for users with "administer page manager" privileges until the update is applied. Additionally, restrict input to text areas in the import functionality to minimize the risk of exploitation.