- Advisory ID: DRUPAL-SA-CONTRIB-2009-013
- Project: Content Construction Kit (third-party module)
- Version: 6.x
- Date: 2009 March 18
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting (XSS)
Description
The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.
Versions affected
- Versions of CCK for Drupal 6.x prior to 6.x-2.2
Drupal core is not affected. If you do not use the Node reference or User reference sub-modules of the contributed Content Construction Kit (CCK) project, there is nothing you need to do.
Solution
Install the latest version:
- If you use CCK for Drupal 6.x upgrade to CCK 6.x-2.2
See also the Content Construction Kit (CCK) project page.
Reported by
Yves Chedemois (yched).
Fixed by
Yves Chedemois (yched).
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
