Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-101
- Project: Watcher
- Version: 5.x, 6.x
- Date: 2010-October-27
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross-site Scripting and Cross-site Request Forgery
Description
The Watcher module lets users subscribe to nodes so they receive email notifications when comments are posted or nodes are changed.
The Watcher module did not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability which can be used by a malicious user to gain full administrative access. The Watcher module did not protect the subscribe and unsubscribe links against Cross-site Request Forgeries (CSRF).
Versions affected
- Watcher for Drupal 5.x prior to Watcher 5.x-1.7
- Watcher for Drupal 6.x prior to Watcher 6.x-1.4
Drupal core is not affected. If you do not use the contributed Watcher, there is nothing you need to do.
Solution
Install the latest version:
- If you use Watcher for Drupal 5.x upgrade to Watcher 5.x-1.7
- If you use Watcher for Drupal 6.x upgrade to Watcher 6.x-1.4
See also the Watcher project page.
Reported by
- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
Fixed by
- Jakob Persson (solipsist), module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at http://drupal.org/security.
