- Advisory ID: DRUPAL-SA-CONTRIB-2010-007
- Project: Control Panel (third-party module)
- Version: 5.x, 6.x
- Date: 2010-January-20
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Control Panel module enables users to add a new graphical control panel page. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability. Only users with the 'administer blocks' permission are able to exploit this vulnerability.
Versions affected
- Control Panel module 5.x-1.5 and prior versions
- Control Panel module 6.x-1.2 and prior versions
Drupal core is not affected. If you do not use the contributed Control Panel module, there is nothing you need to do.
Solution
The Drupal 5.x version of this module is no longer supported and should be disabled. For Drupal 6.x, install the latest version:
- If you use Control Panel module for Drupal 6.x upgrade to Control Panel 6.x-1.3
See also the Control Panel project page.
Reported by
- Reported by Dylan Wilder-Tack of the Drupal Security Team
Fixed by
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.