- Advisory ID: DRUPAL-SA-CONTRIB-2010-005
- Project: Own Term (third-party module)
- Version: 6.x-1.0
- Date: 2010-January-13
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Own Term module allows users to create taxonomy terms in a designated vocabulary and when creating content this term is automatically added to the node.
The module does not sanitize the term description on a term listing page which opens a cross-site scripting (XSS) attack. Users with a role containing the permission 'create additional terms' can exploit this vulnerability.
Versions affected
- Own Term module 6.x-1.0
Drupal core is not affected. If you do not use the contributed Own Term module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Own Term module for Drupal 6.x upgrade to Own Term 6.x-1.1
See also the Own Term project page.
Reported by
Benjamin Jeavons, Own Term module comaintainer.
Fixed by
Benjamin Jeavons, Own Term module comaintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.