- Advisory ID: DRUPAL-SA-CONTRIB-2009-093
- Project: Temporary Invitation (third-party module)
- Version: 5.x
- Date: 2009 November 4
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Temporary Invitation module enables site users to invite guests for a limited timespan. For each invitation, a new user is created, together with a login code (e.g. "EbN2F3") that the user can use to log in. The module fails to sanitize a value in Name field which is included in the invitation, leading to a Cross Site Scripting (XSS) vulnerability.
Versions affected
- Temporary Invitation module for Drupal 5.x prior to Temporary Invitation 5.x-2.3
Drupal core is not affected. If you do not use the contributed Temporary invitation module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Temporary Invitation module for Drupal 5.x upgrade to version 5.x-2.3
Reported by
- Reported by Wolfgang Ziegler, the module maintainer.
Fixed by
- Fixed by Wolfgang Ziegler, the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.