* Advisory ID: DRUPAL-SA-CONTRIB-2009-067 * Project: Dex: Contact Information Manager (third-party module) * Version: 5.x, 6.x * Date: 2009-Sept-30 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The Dex: Contact Information Manager module enables contact information management with Google Maps and Yahoo Maps compatible geocoding. The module suffers from a Cross Site Scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. This module is no longer maintained. The releases have been unpublished and it is recommended that it be disabled and uninstalled if in use. -------- VERSIONS AFFECTED ---------------------------------------------------
* Dex versions 6.x up to and including 6.x-1.0-rc1 * Dex versions 5.x up to and including 5.x-1.0
Drupal core is not affected. If you do not use the contributed Dex module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
There is no solution available. It is recommended that you disable and uninstall the Dex module if is in use on your site. -------- REPORTED BY ---------------------------------------------------------
* Reported by Stéphane Corlosquet [1] of the Drupal security team.
-------- HANDLED BY ----------------------------------------------------------
* On behalf of Drupal security team, this SA has been handled by Peter Wolanin [2], Stéphane Corlosquet [3] and Jakub Suchy [4]
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] drupal.org/user/52142 [2] http://drupal.org/user/49851 [3] drupal.org/user/52142 [4] http://drupal.org/user/31977