- Advisory ID: DRUPAL-SA-2008-055
- Project: Stock (third-party module)
- Versions: 6.x
- Date: 2008-September-24
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
The stock module provides the ability to query price quotes and trading volumes from various stock markets.
An oversight in the menu permissions code allows any user to change the text of the heading at the top of the stock quotes page. As this text is not escaped, it is safe only for an administrator of the site to modify. Due to the access bypass users can add arbitrary HTML and script code to pages. Wikipedia has more information about such cross site scripting (XSS) attacks.
- Versions of Stock for Drupal 6.x prior to 6.x-1.0
Drupal core is not affected. If you do not use the Stock module, there is nothing you need to do.
Install the latest version.
- If you use Stock for Drupal 6.x upgrade to Stock 6.x-1.0
Also see the Stock project page.
- Greg Knaddison (greggles)
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.