- Advisory ID: DRUPAL-SA-CONTRIB-2010-003
- Project: Forward (third-party module)
- Version: 6.x
- Date: 2010-January-6
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Multiple XSS vulnerabilities
Description
This module allows users to forward a link to a specific node on your site to a friend. The Forward module does not properly sanitize user supplied data, allowing users with the "access administration pages" and "administer forward" permissions, or users with "access administration pages" and "administer site configuration" permissions to inject scripts into Drupal generated output, leading to a cross-site scripting (XSS) vulnerability.
Versions affected
- Forward version prior to 6.x-1.12
Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do.
Solution
Install the latest version: upgrade to Forward 6.x-1.12.
See also the Forward module project page.
Reported by
Fixed by
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
