Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-053
- Project: Answers (third-party module)
- Versions: 5.x
- Date: 2008-September-18
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The Answers module allows a site owner to add a Questions & Answer section to the site.
Unfortunately, the module does not properly escape text, which allows malicious users who are able to post answers to insert arbitrary HTML and scripts into a page. Wikipedia has more information about such cross site scripting (XSS) attacks.
Versions Affected
- All versions of Answers
Drupal core is not affected. If you do not use the Answers module, there is nothing you need to do.
Solution
The module has been removed from Drupal.org. Please disable and uninstall the module from your site.
Reported by
- The vulnerability was publicly disclosed by Justin Klein Keane
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
