- Advisory ID: DRUPAL-SA-CONTRIB-2009-091
- Project: Node Hierarchy (third-party module)
- Version: 6.x, 5.x
- Date: 2009 November 4
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Node Hierarchy module enables a site administrator to arrange their site into a tree-like structure. When displaying the list of children for a node the module does not properly sanitize the titles of the child nodes before outputting them, leading to a cross-site scripting (XSS) vulnerability which would allow a user with the ability to edit the nodes to gain full administrative access.
Versions affected
- Node Hierarchy versions for Drupal 6.x prior to 6.x-1.3
- Node Hierarchy versions for Drupal 5.x prior to 5.x-1.3
Drupal core is not affected. If you do not use the contributed Node Hierarchy module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Node Hierarchy for Drupal 6.x upgrade to version 6.x-1.3
- If you use Node Hierarchy for Drupal 5.x upgrade to version 5.x-1.3
See also the Node Hierarchy project page.
Reported by
Fixed by
- Ronan Dowling, the module maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.