• Advisory ID: DRUPAL-SA-CONTRIB-2010-092
  • Project: Advanced Book Blocks (third-party module)
  • Version: 6.x
  • Date: 2010-September-15
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Cross Site Request Forgery

Description

The Advanced Book Blocks module enables you to integrate with the API provided by the JQuery Menu module (version 1.8 and higher) to provide click and expand book menus with the ability to customize each block individually.

The module contained Cross Site Scripting vulnerabilities which could allow a malicious user with one of several non-default permissions to inject arbitrary javascript into the administrative pages provided by this module.

The module also contained Cross Site Request Forgery vulnerabilities which could allow an attacker to trick an administrator into unintentionally deleting or resetting blocks provided by this module.

Versions affected

  • Advanced Book Blocks module for Drupal 6.x versions prior to 6.x-2.2

Drupal core is not affected. If you do not use the contributed Advanced Book Blocks module, there is nothing you need to do.

Solution

Install the latest version:

See also the Advanced Book Blocks.

Reported by

Fixed by

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.