* Advisory ID: DRUPAL-SA-CONTRIB-2010-048 * Project: CiviRegister (third-party module) * Version: 5.x, 6.x * Date: 2010-May-12 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The CiviRegister module replaces the standard Drupal user registration form with a CiviCRM Profile form configured to create users. Notifications on the Profile's administrative page include unsanitized data obtained from the URL. A malicious user could create a special link which would inject arbitrary HTML into the resulting page, if clicked by a Drupal user with 'administer CiviCRM permissions.' Exploiting this vulnerability could allow a malicious user to gain the permissions of the targeted user.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of CiviRegister for Drupal 6.x prior to 6.x-1.1 * Versions of CiviRegister for Drupal 5.x.
Drupal core is not affected. If you do not use the contributed CiviRegister [1] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version.
* If you use CiviRegister for Drupal 6.x upgrade to CiviRegister 6.x-1.1 [2] or any later version. * If you use the CiviRegister module for Drupal 5.x, you should uninstall CiviRegister. CiviRegister and CiviCRM are no longer supported for Drupal 5.x.
-------- REPORTED BY ---------------------------------------------------------
* Matt Chapman, the module maintainer [3]
-------- FIXED BY ------------------------------------------------------------
* Matt Chapman, the module maintainer [4]
-------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [5].
Read more about the Security Team and Security Advisories at http://drupal.org/security [6].
[1] http://drupal.org/project/civiregister [2] http://drupal.org/node/797342 [3] http://drupal.org/user/143172 [4] http://drupal.org/user/143172 [5] http://drupal.org/contact [6] http://drupal.org/security