• Advisory ID: DRUPAL-SA-CONTRIB-2009-008
  • Project: Taxonomy Theme (third-party module)
  • Version: 5.x
  • Date: 2009 February 28
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site scripting (XSS)

Description

The Taxonomy Theme module allows a website adminstrator to change the theme of a given content item based on taxonomy, vocabulary or content type. It does not properly sanitize user-supplied data on a number of places. This allows users with the "administer taxonomy" permission, or, when tagging is enabled, the ability to submit content, to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting (XSS) attack against sufficiently privileged users may lead to adminstrator access to the site.

Versions affected

  • Versions of Taxonomy Theme for Drupal 5.x prior to 5.x-1.2

Drupal core is not affected. If you do not use the contributed Taxonomy Theme module, there is nothing you need to do.

Solution

Install the latest version:

See also the Taxonomy Theme project page.

Reported by

This vulnerability was publicly disclosed.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.