- Advisory ID: DRUPAL-SA-2007-021.
- Project: Project issue tracking (third-party module)
- Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x
- Date: 2007-Sep-27
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting (XSS)
Description
The Project issue tracking module provides a subscription functionality enabling users to sign up for e-mail notification of issue updates. The subscriptions can be edited on both an individual or overview form. Users who have permissions to create or edit projects may be able to inject arbitrary code on these form pages.
Wikipedia has more information about cross site scripting (XSS).
Versions affected
- 5.x-1.x:
- Project issue tracking before version 5.x-1.1
- 4.7.x-2.x:
- Project issue tracking before version 4.7.x-2.5
- 4.7.x-1.x:
- Project issue tracking before version 4.7.x-1.5
Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.
Solution
Install the latest version:
- 5.x-1.x:
- 4.7.x-2.x:
- 4.7.x-1.x:
As a temporary solution, site administrators can disable (for untrusted users) all permissions that allow creating or editing of projects.
Reported by
Chad Phillips (hunmonk) of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
