Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-087
- Project: GovDelivery Integration (third-party module)
- Version: 6.x
- Date: 2010-Aug-11
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The GovDelivery module provides integration with the GovDelivery On-Demand Mailer service, a web service for GovDelivery customers that sends messages directly based on configured account information. The module replaces the backend of SMTP library in your Drupal site with calls to the GovDelivery service, so all mail sent from your site uses the ODM service.
The module does not sanitize some of the user-supplied data before displaying it (for Drupal 6.x-1.0 only), leading to a Cross Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access.
Versions affected
- GovDelivery module for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed GovDelivery Integration module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the GovDelivery module for Drupal 6.x upgrade to GovDelivery 6.x-1.1
See also the GovDelivery Integration project page.
Reported by
- ben.bunk, module co-maintainer
Fixed by
- ben.bunk, module co-maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
