- Advisory ID: DRUPAL-SA-CONTRIB-2009-063
- Project: XML sitemap (third-party module)
- Version: 5.x
- Date: 2009-September-30
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. It also allows users with the 'administer site configuration' permission to add additional custom links to be included in the sitemap. In the additional links interface, the module does not properly sanitize the output of the link paths before display, leading to a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
Versions affected
- XML sitemap versions 5.x prior to 5.x-1.7
Drupal core is not affected. If you do not use the contributed XML sitemap module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the XML sitemap for Drupal 5.x upgrade to XML sitemap 5.x-1.7
See also the XML sitemap module project page.
Important notes
This vulnerability was publicly disclosed. If you find a security vulnerability, please contact the Security team rather than posting a public issue. If you are a module maintainer, do not commit any security-related code fixes unless you have coordinated with the Security team.
Reported by
This vulnerability was publicly disclosed.
Fixed by
Dave Reid of the Drupal Security Team and module co-maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.