- Advisory ID: DRUPAL-SA-CONTRIB-2009-079
- Project: vCard module (third-party module)
- Version: 6.x, 5.x
- Date: 2009-October-21
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The vCard module adds a vCard download link to every user's profile. This link makes it easy to add users from a Drupal site to a local address book. When the theme_vcard() function is added to a theme and default content from the vCard module is output, the site will be vulnerable to Cross Site Scripting attack (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
Versions affected
- vCard module versions 6.x prior to 6.x-1.3
- vCard module versions 5.x prior to 5.x-1.4
Drupal core is not affected. If you do not use the contributed vCard module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the vCard module for Drupal 6.x upgrade to vCard module 6.x-1.3
- If you use the vCard module for Drupal 5.x upgrade to vCard module 5.x-1.4
See also the vCard module project page.
Reported by
Fixed by
sanduhrs, the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.