- Advisory ID: DRUPAL-SA-2007-028
- Project: Weblinks (third-party module)
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
User input is not properly sanitized on a number of pages. This allows malicious users to inject arbitrary HTML and script code into these pages, which may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia.
Versions affected
- Weblinks for Drupal 4.7.x before Weblinks 4.7.x-1.0.
- Weblinks for Drupal 5.x before Weblinks 5.x-1.8.
Drupal core is not affected. If you do not use the contributed Weblinks module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal 4.7.x upgrade to Weblinks 4.7.x-1.0.
- If you use Drupal 5.x upgrade to Weblinks 5.x-1.8.
See also the Weblinks project page.
Reported by
The Weblinks module maintainer Brandon Bergren (Bdragon).
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.