A "moderately critical" ECMAScript/JavaScript vulnerability in Drupal has been fixed in the latest release, version 6.1. All users of the 6.0 version of Drupal are encouraged to patch their current installations or install the complete version 6.1 files.

A potential cross-site scripting (XSS) vulnerability (SA-2008-018) existed in the handling of titles on content edit forms. A JavaScript function used to escape text wasn't working correctly, and is fixed in the latest version.

The legacy 5.x line of Drupal remains at version 5.7, and is not affected by this vulnerability.

Drupal 6.1 is available for download from the main Drupal website.

Trend Micro's Juan Castro reports today that a vulnerability in Plone, discovered in November 2007 by AusCERT, has cropped up on a number of sites. The exploit uses a technique called "Doorway Pages" and redirects visitors to pages that then download malware to the visitor's computer. Castro's analysis is that someone is using the vulnerability discovered by AusCERT as a redirector to hijack traffic and possibly infect computers.

The vulnerability was addressed in Plone's version 3.0.3 and legacy version 2.5.5. If you're using Plone for any of your CMS-based websites, make sure your installation is patched to the current version, which is 3.0.6, or to the latest legacy version, which is 2.5.5.

Open source CMS Joomla issued a security patch for its legacy 1.0.x branch today. The latest version, 1.0.15 (Daytime), addresses a security vulnerability, according to the project's website. All users of 1.0.14 or earlier are encouraged to upgrade to version 1.0.15 as soon as possible.

Joomla also has a newer version available, which is currently at 1.5.1. This site runs on Drupal, but I have other client sites we've built and maintain on Joomla, and I'm planning on upgrading to the 1.5.x branch soon. When I do, I'll include a post describing my impressions of the new version.