By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-046
- Project: Award (third-party module)
- Version: 5.x, 6.x
- Date: 2010-May-12
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Award module allows administrators to identify one or more content types as "awards" that can be granted to users.
When the title of an award is displayed on a user's profile page it is not properly sanitized, resulting in a cross site scripting vulnerability. Attackers must have the permission to create Award content to exploit.
Versions affected
- Award module for Drupal 5.x versions prior to 5.x-1.2
- Award module for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Award module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the Award module for Drupal 5.x upgrade to Award 5.x-1.2
- If you use the Award module for Drupal 6.x upgrade to Award 6.x-1.1
Reported by
Fixed by
- Josh Benner, the module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at http://drupal.org/security.
