* Advisory ID: DRUPAL-SA-CONTRIB-2010-046 * Project: Award (third-party module) * Version: 5.x, 6.x * Date: 2010-May-12 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The Award module allows administrators to identify one or more content types as "awards" that can be granted to users.
When the title of an award is displayed on a user's profile page it is not properly sanitized, resulting in a cross site scripting vulnerability. Attackers must have the permission to create Award content to exploit.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Award module for Drupal 5.x versions prior to 5.x-1.2 * Award module for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Award [1] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version.
* If you use the Award module for Drupal 5.x upgrade to Award 5.x-1.2 [2] * If you use the Award module for Drupal 6.x upgrade to Award 6.x-1.1 [3]
-------- REPORTED BY ---------------------------------------------------------
* Martin Barbella [4]
-------- FIXED BY ------------------------------------------------------------
* Josh Benner [5], the module maintainer
-------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [6].
Read more about the Security Team and Security Advisories at http://drupal.org/security.
[1] http://drupal.org/project/award [2] http://drupal.org/node/795836 [3] http://drupal.org/node/795828 [4] http://drupal.org/user/633600 [5] http://drupal.org/user/150069 [6] http://drupal.org/contact