- Advisory ID: DRUPAL-SA-CONTRIB-2010-051
- Project: Heartbeat (third-party module)
- Version: 6.x
- Date: 2010-May-19
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Heartbeat project contains a suite of modules to display user activity on a website. These modules do not properly sanitize some of their output, allowing certain users the ability to insert arbitrary HTML and script code. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access. Depending on how the modules are configured, this vulnerability may extend to relatively unprivileged users, such as those with the ability to post comments, user "shouts" or other content.
Versions affected
- Heartbeat for Drupal 6.x versions prior to 6.x-4.9
Drupal core is not affected. If you do not use the contributed Heartbeat modules, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Heartbeat module for Drupal 6.x, update to Heartbeat 6.x-4.9.
See also the Heartbeat project page.
Reported by
Some aspects of the vulnerability were reported by Sebastian Szałachowski, and others were reported by Jochen Stals (Stalski), the module maintainer.
Fixed by
Jochen Stals (Stalski), the module maintainer, and David Rothstein of the Drupal Security Team
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.