* Advisory ID: DRUPAL-SA-CONTRIB-2010-003 * Project: Forward (third-party module) * Version: 6.x * Date: 2010-January-6 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Multiple XSS vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
This module allows users to forward a link to a specific node on your site to a friend. The Forward module does not properly sanitize user supplied data, allowing users with the "access administration pages" and "administer forward" permissions, or users with "access administration pages" and "administer site configuration" permissions to inject scripts into Drupal generated output, leading to a cross-site scripting (XSS [1]) vulnerability. -------- VERSIONS AFFECTED ---------------------------------------------------
* Forward version prior to 6.x-1.12
Drupal core is not affected. If you do not use the contributed Forward [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: upgrade to Forward 6.x-1.12 [3]. See also the Forward module project page [4]. -------- REPORTED BY ---------------------------------------------------------
mr.baileys [5] -------- FIXED BY ------------------------------------------------------------
mr.baileys [6]. -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/forward [3] http://drupal.org/node/676494 [4] http://drupal.org/project/forward [5] http://drupal.org/user/383424 [6] http://drupal.org/user/383424