• Advisory ID: DRUPAL-SA-CONTRIB-2009-064
  • Project: Bibliography module (third-party module)
  • Version: 6.x
  • Date: 2009-September-30
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

The Bibliography module (also known as Biblio) allows users manage and display lists of scholarly publications. The Biblio module creates customized views in order to display these listings, and these listings contain text entered by users with the 'create biblio' permission. In some cases, the module does not properly sanitize the text, leading to a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.

Versions affected

  • Bibliography module versions 6.x prior to 6.x-1.7

Drupal core is not affected. If you do not use the contributed Bibliography module, there is nothing you need to do.

Solution

Install the latest version:

See also the Bibliography module project page.

Reported by

Justin C. Klein Keane

Fixed by

Ron Jerome the module maintainer.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.