• Advisory ID: DRUPAL-SA-CONTRIB-2010-048
  • Project: CiviRegister (third-party module)
  • Version: 5.x, 6.x
  • Date: 2010-May-12
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

The CiviRegister module replaces the standard Drupal user registration form with a CiviCRM Profile form configured to create users. Notifications on the Profile's administrative page include unsanitized data obtained from the URL. A malicious user could create a special link which would inject arbitrary HTML into the resulting page, if clicked by a Drupal user with 'administer CiviCRM permissions.' Exploiting this vulnerability could allow a malicious user to gain the permissions of the targeted user.

Versions affected

  • Versions of CiviRegister for Drupal 6.x prior to 6.x-1.1
  • Versions of CiviRegister for Drupal 5.x.

Drupal core is not affected. If you do not use the contributed CiviRegister module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use CiviRegister for Drupal 6.x upgrade to CiviRegister 6.x-1.1 or any later version.
  • If you use the CiviRegister module for Drupal 5.x, you should uninstall CiviRegister. CiviRegister and CiviCRM are no longer supported for Drupal 5.x.

Reported by

Fixed by

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Read more about the Security Team and Security Advisories at http://drupal.org/security.