SA-CONTRIB-2009-067 Dex module - Cross Site Scripting, no longer maintained

• Advisory ID: DRUPAL-SA-CONTRIB-2009-067
• Project: Dex: Contact Information Manager (third-party module)
• Version: 5.x, 6.x
• Date: 2009-Sept-30
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

The Dex: Contact Information Manager module enables contact information management with Google Maps and Yahoo Maps compatible geocoding. The module suffers from a Cross Site Scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. This module is no longer maintained. The releases have been unpublished and it is recommended that it be disabled and uninstalled if in use.

Versions affected

• Dex versions 6.x up to and including 6.x-1.0-rc1
• Dex versions 5.x up to and including 5.x-1.0

Drupal core is not affected. If you do not use the contributed Dex module, there is nothing you need to do.

Solution

There is no solution available. It is recommended that you disable and uninstall the Dex module if is in use on your site.

Reported by

• Reported by Stéphane Corlosquet of the Drupal security team.

Handled by

• On behalf of Drupal security team, this SA has been handled by Peter Wolanin, Stéphane Corlosquet and Jakub Suchy

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.