Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-092
- Project: S5 Presentation Player (third-party module)
- Version: 6.x
- Date: 2009 November 4
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site.
The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
Versions Affected
- S5 Presentation Player 6.x-1.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed S5 Presentation Player module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the S5 Presentation Player for Drupal 6.x-1.x upgrade to S5 Presentation Player 6.x-1.1
See also the S5 Presentation Player module project page.
Reported by
- Gábor Hojtsy of the Drupal Security team
Fixed by
- Greg Knaddison, the module maintainer, of the Drupal Security team
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
