- Advisory ID: DRUPAL-SA-CONTRIB-2009-094
- Project: NGP COO/CWP Integration (crmngp) (third-party module)
- Version: 6.x
- Date: 2009-November-4
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting and Access bypass
Description
The NGP COO/CWP Integration module provides Drupal integration with the NGP Software API for efficient campaign management. An administration page did not properly implement access control thereby allowing untrusted users to view module log information. User-supplied information was not filtered on output allowing a cross-site scripting (XSS) attack.
Versions affected
- NGP COO/CWP Integration versions for Drupal 6.x prior to 6.x-1.12
Drupal core is not affected. If you do not use the contributed NGP COO/CWP Integration module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use NGP COO/CWP Integration for Drupal 6.x upgrade to version 6.x-1.13
See also the NGP COO/CWP Integration project page.
Reported by
- Access bypass reported by Dylan Wilder-Tack
- Cross-site scripting reported by Benjamin Jeavons
Fixed by
- XSS vulnerability fixed by Sean Robertson, the module maintainer
- Access bypass vulnerability fixed by Dylan Wilder-Tack
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.