Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-080
- Project: Simplenews Statistics (third-party module)
- Version: 6.x
- Date: 2009 October 21
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities (XSS, CSRF, Open Redirect)
Description
The Simplenews Statistics module provides newsletter statistics such as the open rate and CTR (click-through rate).
The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF), Cross Site Scripting problem (Cross Site Scripting) and Open Redirect. This problem allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page.
Versions affected
- Simplenews Statistics 6.x prior to 6.x-2.0
Drupal core is not affected. If you do not use the contributed Simplenews Statistics module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Simplenews Statistics for Drupal 6.x upgrade to version 6.x-2.0
Reported by
- Open redirect vulnerability reported by John Pettitt
- XSS and CSRF vulnerability reported by Dylan Wilder-Tack
Fixed by
- Fixed by Sjoerd Arendsen.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
