Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-113
- Project: Image (third-party module)
- Version: 5.x, 6.x
- Date: 2010-December-22
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Image module project contains supplemental modules, one of which, Image gallery, allows users to create and maintain galleries of image nodes using taxonomy terms.
The Image gallery module does not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability which can be used by a malicious user to gain full administrative access.
Mitigating factors: In order to exploit this vulnerability the Image gallery module must be enabled and the attacker must have the ability to edit or create image galleries.
Versions affected
- Image module for Drupal 6.x prior to 6.x-1.1
- Image module for Drupal 5.x prior to 5.x-2.0
- Image module for Drupal 5.x prior to 5.x-1.10
Drupal core is not affected. If you do not use the contributed Image module there is nothing you need to do.
Solution
Install the latest version:
- If you use Image for Drupal 6.x upgrade to Image 6.x-1.1.
- If you use Image 5.x-2.0-alpha5 or lower for Drupal 5.x upgrade to Image 5.x-2.0.
- If you use Image 5.x-1.9 or lower for Drupal 5.x upgrade to Image 5.x-1.10.
See also the Image project page.
Reported by
Fixed by
- sun, module maintainer
- joachim, module maintainer
- Justin Klein Keane
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.
