Userreview cross site scripting vulnerability

• Advisory ID: DRUPAL-SA-2006-020
• Project: Userreview
• Date: 2006-Sep-13
• Security risk: less critical
• Exploitable from: remote
• Vulnerability: cross site scripting

Description

It is possible for a malicious user to insert and execute XSS (Cross Site Scripting), due to lack of validation on output. This may lead to administrator access if certain conditions are met.
Learn more about XSS on Wikipedia.

Versions affected

Drupal core is not affected. If you do not use the userreview module there is nothing you need to do.

If you are running userreview, Please check the CVS $Id$ fields on the second line of the file userreview.module to determine whether the version you are running is vulnerable. Versions older than the following or lacking this field are vulnerable:

• Drupal 4.7 - // $Id: userreview.module,v 1.19 2006/09/12 18:12:21 killes Exp $

Solution

Install the latest version:

• Userreview for Drupal 4.7

See also the userreview project page.

Reported by

Anonymous

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.