Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-021
- Project: AddThis Button (third-party module)
- Version: 6.x, 5.x
- Date: 2010-March-03
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The AddThis module provides an easy way to share content to over 230 supported services such as Facebook, Email and Twitter. The module did not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability. Only users with the 'administer addthis' permission were able to exploit this vulnerability.
Versions Affected
Drupal core is not affected. If you do not use the contributed AddThis Button module, there is nothing you need to do.
Solution
Install the latest version:
- If you use AddThis Button for Drupal 5.x upgrade to AddThis Button 6.x-2.9.
- If you use AddThis Button for Drupal 6.x upgrade to AddThis Button 5.x-2.2.
See also the AddThis Button project page.
Reported by
Fixed by
- Vesa Palmu (wesku), the module maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
