* Advisory ID: DRUPAL-SA-CONTRIB-2010-054 * Project: Storm (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS) -------- DESCRIPTION --------------------------------------------------------- The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting [1] (XSS) attack that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Storm project for Drupal 5.x (all versions). This branch is unsupported and has not been fixed. It is recommended not to use Storm for Drupal 5.x. * Storm project for Drupal 6.x versions prior to 6.x-1.33 Drupal core is not affected. If you do not use the contributed Storm module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * If you use the Storm module for Drupal 5.x, uninstall this module * If you use the Storm module for Drupal 6.x, upgrade to Storm 6.x-1.33 [2] -------- REPORTED BY --------------------------------------------------------- Disclosed outside the Drupal Security Team process. [3] -------- FIXED BY ------------------------------------------------------------ * juliangb [4], the module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal [5] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz [3] http://drupal.org/security-team#report-issue [4] http://drupal.org/user/719472 [5] http://drupal.org/security-team