Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-016
- Project: Wikitools (third-party module)
- Version: 5.x, 6.x
- Date: 2009-March-25
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting
Description
The Wikitools module provides several options to get a more wiki-like behavior for Drupal. On several pages, the Wikitools module prints out a parameter without escaping it. Malicious users are thus able to execute a cross site scripting (XSS) attack when they entice users to visit a specifically crafted URL. This may lead to a malicious user gaining full administrative access.
Versions affected
- Wikitools 5.x-1.x prior to 5.x-1.3
- Wikitools 6.x-1.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Wikitools module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Wikitools 5.x-1.x upgrade to Wikitools 5.x-1.3
- If you use Wikitools 6.x-1.x upgrade to Wikitools 6.x-1.1
See also the Wikitools project page.
Reported by
Charlie Gordon of the Drupal Security Team.
Fixed by
Charlie Gordon of the Drupal Security Team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
