Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-018
- Project: Feed element mapper (third-party module)
- Version: 5.x
- Date: 2009-March-26
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting (XSS)
Description
Feed element mapper is an Add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. These mappings are configurable by point and click. The module does not escape content titles enabling malicious users to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting (XSS) attack against sufficiently privileged users may lead to adminstrator access to the site.
Versions affected
- Versions of Feed element mapper for Drupal 5.x prior to 5.x-1.1
Drupal core is not affected. If you do not use the contributed Feed element mapper module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Feed element mapper for Drupal 5.x upgrade to Feed element mapper 5.x-1.1
If you use one of the unsupported Feed element mapper 6.x-1.0 beta versions, upgrade to Feed element mapper 6.x-1.0-beta5.
See also the Feed element mapper project page.
Reported by
Fixed by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
