Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-006
- Project: Bibliography (third-party module)
- Version: 5.x, 6.x
- Date: 2010-January-13
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Bibliography module enables users to manage and display lists of scholarly publications. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability. Only users with the 'administer biblio' permission are able to exploit this vulnerability.
Versions affected
- Bibliography module 5.x-1.17 and prior versions
- Bibliography module 6.x-1.9 and prior versions
Drupal core is not affected. If you do not use the contributed Bibliography module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Bibliography for Drupal 5.x upgrade to Bibliography 5.x-1.18
- If you use Bibliography for Drupal 6.x upgrade to Bibliography 6.x-1.10
See also the Bibliography project page.
Reported by
- grendzy of the Drupal Security Team.
Fixed by
Ron Jerome, the Bibliography project maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
