- Advisory ID: DRUPAL-SA-CONTRIB-2010-028
- Project: Tag Order (third-party module)
- Version: 5.x, 6.x
- Date: 2010-March-17
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
Tag Order module allows you to select vocabularies whose terms you would like to preserve in the original order entered per node. Taxonomy vocabulary names are not sanitized when being displayed on an administrative page, leading to a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factor: only users with the 'administer taxonomy' permission can enter or edit vocabulary names.
Versions affected
- Tag Order for Drupal 6.x prior to 6.x-1.4
- Tag Order for Drupal 5.x prior to 5.x-1.4
Drupal core is not affected. If you do not use the contributed Tag Order module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Tag Order for Drupal 6.x upgrade to Tag Order 6.x-1.4
- If you use Tag Order for Drupal 5.x upgrade to Tag Order 5.x-1.4
See also the Tag Order project page.
Reported by
Fixed by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.