* Advisory ID: DRUPAL-SA-CONTRIB-2011-049 * Project: Cumulus [1] (third-party module) * Version: 5.x, 6.x * Date: 2011-October-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS)
-------- DESCRIPTION ---------------------------------------------------------
The Cumulus module allows you to display your site's tags using a 3D Flash animation.
The module ships with a Flash file (cumulus.swf) that contains a cross site scripting (XSS) vulnerability that can be exploited when a user is made to view a specially crafted URL. If the user is logged in to an administrative account, the script can take actions using their permissions or disclose sensitive information to a third party.
This vulnerability is mitigated by the fact that user being attacked must be logged in to the site with a privileged account and tricked into visiting a specially crafted URL.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Cumulus versions prior to 6.x-1.5 [3]
Because the vulnerability is in a Flash file that ships with the module rather than in the Drupal code itself, any site that has a vulnerable version of the module in its file system (regardless of whether the module is enabled or not) is potentially affected. The same is true for any custom modules or themes on the site into which a copy of the cumulus.swf file may have been made.
Drupal core is not affected. If you do not have the contributed Cumulus [4] module in your site's file system, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you have the Cumulus module anywhere on your site's file system, upgrade to Cumulus 6.x-1.5 [5] (or remove the module if you are no longer using it).
Note: all Drupal 5.x modules are not supported, including the Cumulus module for 5.x. If you use Drupal 5.x you should upgrade now.
See also the Cumulus [6] project page.
-------- REPORTED BY ---------------------------------------------------------
* The vulnerability was publicly disclosed.
-------- FIXED BY ------------------------------------------------------------
* Florian Weber [7], one of the Cumulus module maintainers
-------- COORDINATED BY ------------------------------------------------------
* David Rothstein [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/cumulus [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1304616 [4] http://drupal.org/project/cumulus [5] http://drupal.org/node/1304616 [6] http://drupal.org/project/cumulus [7] http://drupal.org/user/254778 [8] http://drupal.org/user/124982 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration