Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-017
- Project: iTweak Upload (third-party module)
- Version: 6.x
- Date: 2010 February 17
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
iTweak Upload does not escape file names when displaying uploaded files. This allows a malicious user with the permission to create content and upload files to perform a Cross Site Scripting (XSS) attack.
Versions affected
- iTweak Upload 6.x-2.x prior to 6.x-2.3
- iTweak Upload 6.x-1.x prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed iTweak Upload module, there is nothing you need to do.
Solution
Install the latest version:
- If you use iTweak Upload 6.x-1.x, upgrade to iTweak Upload 6.x-1.2
- If you use iTweak Upload 6.x-2.x, upgrade to iTweak Upload 6.x-2.3
See also the iTweak Upload project page.
Reported by
- Mark Piper
Fixed by
- iva2k, the iTweak Upload module maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.