- Advisory ID: DRUPAL-SA-2008-056
- Project: Simplenews (third-party module)
- Versions: 5.x, 6.x
- Date: 2008-September-24
- Security risk: Not Critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
Simplenews publishes and sends newsletters to lists of subscribers. Newsletter categories are not always properly escaped. This allows users with the "administer taxonomy" permission to add arbitrary HTML and script code to the site. Wikipedia has more information about such cross site scripting (XSS) attacks.
Versions Affected
- Versions of Simplenews for Drupal 5.x prior to 5.x-1.5
- Versions of Simplenews for Drupal 6.x prior to 6.x-1.0-beta4
Drupal core is not affected. If you do not use the Simplenews module, there is nothing you need to do.
Solution
Install the latest version.
- If you use Simplenews for Drupal 5.x upgrade to Simplenews 5.x-1.5
- If you use Simplenews for Drupal 6.x upgrade to Simplenews 6.x-1.0-beta 4
Note: Beta and development versions are not recommended for use on production sites.
Also see the Simplenews project page.
Reported by
- The module maintainer Erik Stielstra (Sutharsan)
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.