• Advisory ID: DRUPAL-SA-2007-028
  • Project: Weblinks (third-party module)
  • Version: 4.7.x, 5.x
  • Date: 2007-October-17
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

User input is not properly sanitized on a number of pages. This allows malicious users to inject arbitrary HTML and script code into these pages, which may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia.

Versions affected

  • Weblinks for Drupal 4.7.x before Weblinks 4.7.x-1.0.
  • Weblinks for Drupal 5.x before Weblinks 5.x-1.8.

Drupal core is not affected. If you do not use the contributed Weblinks module, there is nothing you need to do.

Solution

Install the latest version:

See also the Weblinks project page.

Reported by

The Weblinks module maintainer Brandon Bergren (Bdragon).

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.