• Advisory ID: DRUPAL-SA-CONTRIB-2010-007
  • Project: Control Panel (third-party module)
  • Version: 5.x, 6.x
  • Date: 2010-January-20
  • Security risk: Less Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

The Control Panel module enables users to add a new graphical control panel page. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability. Only users with the 'administer blocks' permission are able to exploit this vulnerability.

Versions affected

  • Control Panel module 5.x-1.5 and prior versions
  • Control Panel module 6.x-1.2 and prior versions

Drupal core is not affected. If you do not use the contributed Control Panel module, there is nothing you need to do.

Solution

The Drupal 5.x version of this module is no longer supported and should be disabled. For Drupal 6.x, install the latest version:

See also the Control Panel project page.

Reported by

Fixed by

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.