By heine on
- Advisory ID: DRUPAL-SA-2008-010
- Project: Archive (third-party module)
- Version: 5.x
- Date: 2008-January-23
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The Archive module provides a replacement for the archive functionality that was present in Drupal 4.7.
Certain URL arguments are not escaped before display. It is therefore possible to inject arbitrary HTML and script code into certain archive pages, which may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia.
Versions affected
- Archive for Drupal 5.x before Archive 5.x-1.8
Drupal core is not affected. If you do not use the contributed Archive module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal 5.x upgrade to Archive 5.x-1.8.
See also the Archive project page.
Reported by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
