MySite - Cross site scripting

• Advisory ID: DRUPAL-SA-2006-032.
• Project: MySite (third-party module).
• Version: 4.7.0, 4.7.x-3.2, 5.x-1.2.
• Date: 2006-12-18.
• Security risk: Less critical.
• Exploitable from: Remote.
• Vulnerability: Cross site scripting.

Description

Data is not properly sanitised before being used in titles. This can be exploited to insert and execute arbitrary HTML and script code in a user's browser session in the context of an affected site. This may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia.

Versions affected

• MySite 5.x-1.2
• MySite 4.7.x-3.2
• MySite download prior to the new release system

Drupal core is not affected. If you do not use the contributed MySite module, there is nothing you need to do.

Solution

Install the latest version:

• MySite 4.7.x-3.3.
• MySite 5.x-1.3.

See also the MySite project page.

Reported by

Mark Baggett.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.