• Advisory ID: DRUPAL-SA-CONTRIB-2010-034
  • Project: Internationalization (third-party module)
  • Version: 6.x
  • Date: 2010-April-7
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them and some of the strings used for translating blocks were not properly filtered before display.
Additionally all strings translated using this module were not checked for potential malicious HTML and script code as regular Drupal string translations are.
Both issues would allow a user with the 'translate interface' or the 'administer blocks' permissions to attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access.

Versions affected

  • Internationalization 6.x prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed Internationalization module, there is nothing you need to do. Also if you are not using Internationalization's 'String translation' (i18nstrings) module you don't need to update.

Solution

Install the latest version:

See also the Internationalization project page

Reported by

Fixed by

Contact

The Security Team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.