• Advisory ID: DRUPAL-SA-2008-021
  • Project: Live (third-party module)
  • Version: 5.x
  • Date: 2008-March-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery

Description

The contributed module Live provides previews of content items while typing them.

Live is vulnerable to a cross site request forgery which may lead to execution of PHP code when an authenticated, privileged user visits a malicious site.

Versions affected

  • Live for Drupal 5.x before Live 5.x-0.1

Drupal core is not affected. If you do not use the contributed Live module, there is nothing you need to do.

Solution

Install the latest version:

See also the Live project page.

Reported by

The Drupal Security Team.

Contact

The security contact for Drupal can be reached via email at security at drupal.org or via the form at http://drupal.org/contact.