• Advisory ID: DRUPAL-SA-CONTRIB-2009-035
  • Project: Booktree (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-June-10
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

Booktree takes as input a series of Book nodes and create a tree-like structure using Book node relationships.The Booktree module does not properly escape node title and node body on tree root pages. A user with privileges to create book pages could attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access.

Versions affected

  • Booktree for Drupal 5.x prior to Booktree 5.x-7.3
  • Booktree for Drupal 6.x prior to Booktree 6.x-1.1

Drupal core is not affected. If you do not use the contributed Booktree module, there is nothing you need to do.

Solution

Upgrade to the latest version:

See also the Booktree project page.

Reported by

Stéphane Corlosquet of the Drupal Security Team.

Fixed by

Uccio.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.