Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By meba on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-081
- Project: Abuse (third-party module)
- Version: 5.x, 6.x
- Date: 2009 October 21
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Abuse module enables users to flag nodes and comments as offensive, bringing them to the attention of the site maintainer for review. The module suffers from a Cross Site Scripting (Cross Site Scripting) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
Versions affected
- Abuse 6.x prior to 6.x-1.1-alpha1
- Abuse 5.x prior to 5.x-2.1
Drupal core is not affected. If you do not use the contributed Abuse module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Abuse for Drupal 6.x upgrade to version 6.x-1.1-alpha1
- If you use Abuse for Drupal 5.x upgrade to version 5.x-2.1
Reported by
- Reported by Mustafa ULU.
Fixed by
- Fixed by Ashok Modi.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.