- Advisory ID: DRUPAL-SA-CONTRIB-2010-093
- Project: Advanced Taxonomy Blocks (third-party module)
- Version: 6.x
- Date: 2010-September-15
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Cross Site Request Forgery
Description
Advanced Taxonomy Blocks makes use of the JQuery menu module to create extremely customizable blocks for browsing through single hierarchy taxonomies.
The module contained Cross Site Scripting vulnerabilities which could allow a malicious user with one of several non-default permissions to inject arbitrary javascript into the administrative pages provided by this module.
The module also contained Cross Site Request Forgery vulnerabilities which could allow an attacker to trick an administrator into unintentionally deleting or resetting blocks provided by this module.
Versions affected
- Advanced Taxonomy Blocks module for Drupal 6.x versions prior to 6.x-3.4
Drupal core is not affected. If you do not use the contributed Advanced Taxonomy Blocks module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Advanced Taxonomy Blocks module for Drupal 6.x upgrade to Advanced Taxonomy Blocks 6.x-3.4
See also the Advanced Taxonomy Blocks.
Reported by
- mr.baileys, of the Drupal Security Team.
Fixed by
- Aaron Hawkins, the module maintainer.
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
