Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-042
- Project: Submitted By (third-party module)
- Version: 6.x
- Date: 2009-July-15
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
Submitted By is a module to let you control the format of the "Submitted by" information on your content per content type. This module does not properly escape user input used in building the string to display the "submitted by" text. Only administrators with the 'administer content types' permission can enter this text. A user with this administrative privileges could attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access. In general, the permission "administer content types" is comparable in scope to the "administer site configuration" permission. Only grant this permission to trusted site administrators. See: http://drupal.org/node/372836
Versions affected
- Submitted By for Drupal 6.x prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed Submitted By module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Submitted By for Drupal 6.x upgrade to Submitted By 6.x-1.3
See also the Submitted By project page.
Reported by
Nancy Wichmann, the project maintainer.
Fixed by
Nancy Wichmann, the project maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
