- Advisory ID: DRUPAL-SA-CONTRIB-2012-027
- Project: Submenu Tree (third-party module)
- Version: 6.x
- Date: 2012-February-29
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
CVE: CVE-2012-1651
The Submenu Tree module allows sufficiently privileged users to show a
list of menu entries when displaying a node.
The module does not sanitize some of the user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS)
vulnerability.
The vulnerability is mitigated by the fact that a malicious user must
be assigned a role that includes permissions to edit the Drupal menus.
Versions affected
- Submenu Tree versions prior to 6.x-1.5
Drupal core is not affected. If you do not use the contributed Submenu Tree module,
there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Submenu Tree module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Submenu Tree module upgrade to Submenu Tree 6.x-1.5
Please also see the Submenu Tree project
page.
See also the Submenu Tree project page.
Reported by
Fixed by
- Beng Tan, module maintainer
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
