- Advisory ID: DRUPAL-SA-CONTRIB-2010-060
- Project: Scheduler (third-party module)
- Version: 5.x, 6.x
- Date: 2010-May-26
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
Scheduler allows nodes to be published and unpublished on specified dates.
Scheduler does not sanitize titles for unpublished nodes on the scheduled nodes overview list, leading to a Cross Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access.
The risk is mitigated by the fact that an attacker must succeed in a) creating a node that is b) scheduled (requires "schedule (un)publishing of nodes" permission) and c) unpublished.
Versions affected
- Scheduler module for Drupal 5.x versions prior to 5.x-1-19
- Scheduler module for Drupal 6.x versions prior to 6.x-1.7
Drupal core is not affected. If you do not use the contributed Scheduler module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Scheduler module for Drupal 5.x upgrade to Scheduler 5.x-1-19
- If you use the Scheduler module for Drupal 6.x upgrade to Scheduler 6.x-1.7
See also the Scheduler project page.
Reported by
- mr.baileys of the Drupal security team
Fixed by
- Eric Schaefer, module maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
