Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-004
- Project: Node Block (third-party module)
- Version: 6.13, 5.11
- Date: 2010-January-13
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
This module allows you to specify content type(s) as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access will see region and weight options on the node form.
The Node Block module creates a block from specified content type(s). Node block doesn't properly escape titles allowing users with permissions to create/edit the specified content type(s) to inject arbitrary code into the site. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.
Versions affected
- Node Blocks module 5.x-1.1 and prior versions
- Node Blocks module 6.x-1.3 and prior versions
Drupal core is not affected. If you do not use the contributed Feed Block module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Node Blocks module for Drupal 5.x upgrade to Node Blocks 5.x-1.2
- If you use the Node Blocks module for Drupal 6.x upgrade to Node Blocks 6.x-1.4
See also the Node Block project page.
Reported by
Martin Barbella and Khalid Baheyeldin
Fixed by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
