• Advisory ID: DRUPAL-SA-CONTRIB-2009-005
  • Project: Views bulk operations (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009 February 04
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site scripting (XSS)

Description

Views bulk operations augments Views by enabling bulk operations to be executed on the content displayed by a view. Views bulk operations does not properly escape user-supplied data on some pages, allowing malicious users to insert arbitrary HTML and script code into these pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.

Versions affected

  • Versions of Views bulk operations for Drupal 5.x prior to 5.x-1.3
  • Versions of Views bulk operations for Drupal 6.x prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed Views bulk operations module, there is nothing you need to do.

Solution

Install the latest version:

See also the Views bulk operations project page.

Reported by

Derek Wright (dww) of the Drupal Security Team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.