SA-CONTRIB-2009-100 - AddToAny - Cross Site Scripting

By undefined on 11 Nov 2009 at 22:07 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2009-100
Project: AddToAny (third-party module)
Version: 5.x, 6.x
Date: 2009 November 11
Security risk: Moderately Critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting

Description

AddToAny module provides a share button for AddToAny service for social networks. The module fails to sanitize a value in node title, leading to a Cross Site Scripting (XSS) vulnerability.

Versions affected

AddToAny module for Drupal 6.x prior to AddToAny 6.x-2.4
AddToAny module for Drupal 5.x prior to AddToAny 5.x-2.4

Drupal core is not affected. If you do not use the contributed AddToAny module, there is nothing you need to do.

Solution

Upgrade to the latest version:

If you use the AddToAny module for Drupal 6.x upgrade to AddToAny 6.x-2.4
If you use the AddToAny module for Drupal 5.x upgrade to AddToAny 5.x-2.4

Reported by

Reported by Jakub Suchy of the Drupal Security Team.

Fixed by

Fixed by Pat Diven, the module maintainer.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

SA-CONTRIB-2009-100 - AddToAny - Cross Site Scripting

Description

Versions affected

Solution

Reported by

Fixed by

Contact

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community