* Advisory ID: DRUPAL-SA-CONTRIB-2010-054 * Project: Storm (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS)
-------- DESCRIPTION ---------------------------------------------------------
The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting [1] (XSS) attack that may lead to a malicious user gaining full administrative access.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Storm project for Drupal 5.x (all versions). This branch is unsupported and has not been fixed. It is recommended not to use Storm for Drupal 5.x. * Storm project for Drupal 6.x versions prior to 6.x-1.33
Drupal core is not affected. If you do not use the contributed Storm module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
* If you use the Storm module for Drupal 5.x, uninstall this module * If you use the Storm module for Drupal 6.x, upgrade to Storm 6.x-1.33 [2]
-------- REPORTED BY ---------------------------------------------------------
Disclosed outside the Drupal Security Team process. [3] -------- FIXED BY ------------------------------------------------------------
* juliangb [4], the module maintainer
-------- CONTACT -------------------------------------------------------------
The security team for Drupal [5] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz [3] http://drupal.org/security-team#report-issue [4] http://drupal.org/user/719472 [5] http://drupal.org/security-team