- Project: project module (contributed module)
- Security risk: less critical
- Impact: project module
- Where: from remote
- Vulnerability: malicious HTML execution and XSS attacks
Description
The project.module was missing some input validation which can lead to XSS attacks. When submitting an issue, users could enter malicious HTML that could lead to session hijacking.
Versions affected
Please check the CVS $Id$ fields in the following files to determine whether the version of the project module you are running is vulnerable. All versions older than the following are vulnerable:
4.6 branch:
comment.inc: /* $Id: comment.inc,v 1.42.2.4 2006/04/22 21:20:16 dww Exp $ */
issue.inc: /* $Id: issue.inc,v 1.102.2.10 2006/04/22 21:20:40 dww Exp $ */
mail.inc: /* $Id: mail.inc,v 1.47.2.3 2006/04/22 21:20:40 dww Exp $ */
release.inc: /* $Id: release.inc,v 1.52.2.3 2006/04/22 21:20:16 dww Exp $ */
CVS HEAD:
comment.inc: /* $Id: comment.inc,v 1.63 2006/04/22 21:09:40 dww Exp $ */
issue.inc: /* $Id: issue.inc,v 1.167 2006/04/22 21:14:57 dww Exp $ */
mail.inc: /* $Id: mail.inc,v 1.60 2006/04/22 21:14:57 dww Exp $ */
release.inc: /* $Id: release.inc,v 1.70 2006/04/22 21:09:40 dww Exp $ */
Solution
Drupal core is not affected. If you do not use the project module there is nothing you need to do. If you do use project, upgrade to the latest version of the project module for your Drupal version.
Note: a fix for the Drupal 4.5 version of the project module is not available at this time.
Contact
The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml.