SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)

By Drupal Security Team on 19 May 2010 at 22:33 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2010-054
Project: Storm (third-party module)
Version: 6.x
Date: 2010-May-19
Security risk: Critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting (XSS)

Description

The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting (XSS) attack that may lead to a malicious user gaining full administrative access.

Versions affected

Storm project for Drupal 5.x (all versions). This branch is unsupported and has not been fixed. It is recommended not to use Storm for Drupal 5.x.
Storm project for Drupal 6.x versions prior to 6.x-1.33

Drupal core is not affected. If you do not use the contributed Storm module, there is nothing you need to do.

Solution

If you use the Storm module for Drupal 5.x, uninstall this module
If you use the Storm module for Drupal 6.x, upgrade to Storm 6.x-1.33

Reported by

Disclosed outside the Drupal Security Team process.

Fixed by

juliangb, the module maintainer

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)

Description

Versions affected

Solution

Reported by

Fixed by

Contact

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community