- Advisory ID: DRUPAL-SA-CONTRIB-2009-008
- Project: Taxonomy Theme (third-party module)
- Version: 5.x
- Date: 2009 February 28
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting (XSS)
Description
The Taxonomy Theme module allows a website adminstrator to change the theme of a given content item based on taxonomy, vocabulary or content type. It does not properly sanitize user-supplied data on a number of places. This allows users with the "administer taxonomy" permission, or, when tagging is enabled, the ability to submit content, to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting (XSS) attack against sufficiently privileged users may lead to adminstrator access to the site.
Versions affected
- Versions of Taxonomy Theme for Drupal 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the contributed Taxonomy Theme module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Taxonomy Theme for Drupal 5.x upgrade to Taxonomy Theme 5.x-1.2
See also the Taxonomy Theme project page.
Reported by
This vulnerability was publicly disclosed.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.