- Advisory ID: DRUPAL-SA-CONTRIB-2012-157
- Project: Time Spent (third-party module)
- Version: 6.x, 7.x
- Date: 2012-October-24
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection, Multiple vulnerabilities
Description
The Time Spent module tracks the time a registered user spends on a site and a site's content.
The module doesn't sufficiently sanitize user input. Cross site scripting, cross-site request forgery, and SQL injection vulnerabilities have all been found. Note that none of these vulnerabilities have been addressed by the author; the Drupal Security Team recommends that this module be uninstalled immediately.
CVE identifier(s) issued
- XSS: CVE-2012-5548
- CSRF: CVE-2012-5549
- SQL Injection: CVE-2012-5550
Versions affected
- All Time Spent module versions.
Drupal core is not affected. If you do not use the contributed Time Spent module, there is nothing you need to do.
Solution
Uninstall the module:
- If you use the Time Spent module you should disable the module.
Also see the Time Spent project page.
Reported by
- Dylan Riordan (amorsent)
- Greg Knaddison (greggles) of the Drupal Security Team
Coordinated by
- Forest Monsen (forestmonster) of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
