* Advisory ID: DRUPAL-SA-CONTRIB-2009-067 * Project: Dex: Contact Information Manager (third-party module) * Version: 5.x, 6.x * Date: 2009-Sept-30 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Dex: Contact Information Manager module enables contact information management with Google Maps and Yahoo Maps compatible geocoding. The module suffers from a Cross Site Scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. This module is no longer maintained. The releases have been unpublished and it is recommended that it be disabled and uninstalled if in use. -------- VERSIONS AFFECTED --------------------------------------------------- * Dex versions 6.x up to and including 6.x-1.0-rc1 * Dex versions 5.x up to and including 5.x-1.0 Drupal core is not affected. If you do not use the contributed Dex module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ There is no solution available. It is recommended that you disable and uninstall the Dex module if is in use on your site. -------- REPORTED BY --------------------------------------------------------- * Reported by Stéphane Corlosquet [1] of the Drupal security team. -------- HANDLED BY ---------------------------------------------------------- * On behalf of Drupal security team, this SA has been handled by Peter Wolanin [2], Stéphane Corlosquet [3] and Jakub Suchy [4] -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] drupal.org/user/52142 [2] http://drupal.org/user/49851 [3] drupal.org/user/52142 [4] http://drupal.org/user/31977