* Advisory ID: DRUPAL-SA-CONTRIB-2009-092 * Project: S5 Presentation Player (third-party module) * Version: 6.x * Date: 2009 November 4 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED ---------------------------------------------------
* S5 Presentation Player 6.x-1.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed S5 Presentation Player module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the S5 Presentation Player for Drupal 6.x-1.x upgrade to S5 Presentation Player 6.x-1.1 [2]
See also the S5 Presentation Player module project page [3]. -------- REPORTED BY ---------------------------------------------------------
* Gábor Hojtsy [4] of the Drupal Security team
-------- FIXED BY ------------------------------------------------------------
* Greg Knaddison [5], the module maintainer, of the Drupal Security team
-------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/617136 [3] http://drupal.org/project/s5 [4] http://drupal.org/user/4166 [5] http://drupal.org/user/36762