• Advisory ID: DRUPAL-SA-CONTRIB-2010-002
  • Project: Currency Exchange (third-party module)
  • Version: 6.x
  • Date: 2009-January-6
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

This module provides a site with the ability to display currency exchange rates. The module does not sanitize some of the user-supplied data before logging it to the watchdog, leading to a cross-site scripting (XSS) vulnerability.

Versions affected

  • Currency Exchange version prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Currency Exchange module, there is nothing you need to do.

Solution

Install the latest version: upgrade to Currency Exchange 6.x-1.2.

See also the Currency Exchange module project page.

Reported by

mr.baileys

Fixed by

mr.baileys and kbahey one of the module's maintainers.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.