Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-105
- Project: Subgroups for Organic Groups (third-party module)
- Version: 5.x
- Date: 2009-November-18
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Subgroups For Organic Groups module enables users to set group hierarchy. The module does not filter the titles of some nodes before output, leading to a cross-site scripting (XSS) vulnerability.
Versions affected
- Subgroups For Organic Groups versions for Drupal 5.x prior to 5.x-4.0
Drupal core is not affected. If you do not use the contributed Subgroups For Organic Groups module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use the Subgroups For Organic Groups 3.3 release for Drupal 5.x upgrade to version 5.x-3.4
- If you use the Subgroups For Organic Groups 2.0 release for Drupal 5.x upgrade to versions 5.x-3.4 or 5.x-4.0
See also the Subgroups For Organic Groups project page.
Reported by
- The vulnerability was reported by Greg Knaddison
Fixed by
- XSS vulnerability fixed by Ezra Barnett Gildesgame, Subgroups For Organic Groups module maintainer
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
