- Advisory ID: DRUPAL-SA-CONTRIB-2009-048
- Project: Bibliography Module (third-party module)
- Version: 5.x, 6.x
- Date: 2009-July-29
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Bibliography module (Biblio) allows users to manage and display lists of scholarly publications. The module contains a cross site scripting vulnerability because it does not properly sanitize output of titles before display. A user who has the permission to create content displayed by the Bibliography module could attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access.
Versions affected
- Bibliography Module versions 6.x prior to 6.x-1.6
- Bibliography Module versions 5.x prior to 5.x-1.17
Drupal core is not affected. If you do not use the contributed Bibliography module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Bibliography Module for Drupal 6.x upgrade to Bibliography Module 6.x-1.6
- If you use the Bibliography Module for Drupal 5.x upgrade to Bibliography Module 5.x-1.17
See also the Bibliography Module project page.
Reported by
Fixed by
Justin Klein Keane and Ron Jerome (the Bibliography module maintainer).
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.