- Advisory ID: DRUPAL-SA-CONTRIB-2010-008
- Project: Recent Comments (third-party module)
- Version: 6.x-1.0, 5.x-1.2
- Date: 2010-January-20
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
Recent Comments module provides a high-performance, fully themable block of recent comments. This release includes a fix for a cross-site scripting (XSS) vulnerability in which JavaScript could be inserted in the title of the Recent Comments block via a custom block title interface. This custom title interface has been removed, as Drupal 5.x and later allow overriding the a block's title from its configuration screen.
Versions affected
- Recent Comments module 5.x-1.2 and prior versions
- Recent Comments module 6.x-1.0 and prior versions
Drupal core is not affected. If you do not use the contributed Recent Comments module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Recent Comments module for Drupal 5.x upgrade to Recent Comments 5.x-1.3
- If you use the Recent Comments module for Drupal 6.x upgrade to Recent Comments 6.x-1.1
See also the Recent Comments page.
Reported by
Dylan Tack of the Drupal Security Team.
Fixed by
Dylan Tack of the Drupal Security Team and Todd Nienkerk.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.