- Advisory ID: DRUPAL-SA-CONTRIB-2010-048
- Project: CiviRegister (third-party module)
- Version: 5.x, 6.x
- Date: 2010-May-12
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The CiviRegister module replaces the standard Drupal user registration form with a CiviCRM Profile form configured to create users. Notifications on the Profile's administrative page include unsanitized data obtained from the URL. A malicious user could create a special link which would inject arbitrary HTML into the resulting page, if clicked by a Drupal user with 'administer CiviCRM permissions.' Exploiting this vulnerability could allow a malicious user to gain the permissions of the targeted user.
Versions affected
- Versions of CiviRegister for Drupal 6.x prior to 6.x-1.1
- Versions of CiviRegister for Drupal 5.x.
Drupal core is not affected. If you do not use the contributed CiviRegister module, there is nothing you need to do.
Solution
Install the latest version.
- If you use CiviRegister for Drupal 6.x upgrade to CiviRegister 6.x-1.1 or any later version.
- If you use the CiviRegister module for Drupal 5.x, you should uninstall CiviRegister. CiviRegister and CiviCRM are no longer supported for Drupal 5.x.
Reported by
Fixed by
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at http://drupal.org/security.
