• Advisory ID: DRUPAL-SA-CONTRIB-2010-008
  • Project: Recent Comments (third-party module)
  • Version: 6.x-1.0, 5.x-1.2
  • Date: 2010-January-20
  • Security risk: Less Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

Recent Comments module provides a high-performance, fully themable block of recent comments. This release includes a fix for a cross-site scripting (XSS) vulnerability in which JavaScript could be inserted in the title of the Recent Comments block via a custom block title interface. This custom title interface has been removed, as Drupal 5.x and later allow overriding the a block's title from its configuration screen.

Versions affected

  • Recent Comments module 5.x-1.2 and prior versions
  • Recent Comments module 6.x-1.0 and prior versions

Drupal core is not affected. If you do not use the contributed Recent Comments module, there is nothing you need to do.

Solution

Install the latest version:

See also the Recent Comments page.

Reported by

Dylan Tack of the Drupal Security Team.

Fixed by

Dylan Tack of the Drupal Security Team and Todd Nienkerk.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.