Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-090
- Project: Yr Weatherdata (third-party module)
- Version: 6.x
- Date: 2010-September-08
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
Description
The Yr Weatherdata module displays weather forecasts, and enables users with the proper permission to set the sort method. When setting the sorting method the module does not filter the value input by the user correctly. This vulnerability can be exploited to perform an SQL Injection attack.
Versions affected
- Yr Weatherdata module for Drupal 6.x before version 6.x-1.6
Drupal core is not affected. If you do not use the contributed Yr Weatherdata module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Yr Weatherdata module for Drupal 6.x before version 6.x-1.6 upgrade to Yr Weatherdata 6.x-1.6 or later, preferably the current Yr Weatherdata 6.x-1.10
See also the Yr Weatherdata project page.
Reported by
- Fredrik Kilander (tjodolv), module maintainer
Fixed by
- Fredrik Kilander (tjodolv), module maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.