[Security-news] SA-CONTRIB-2009-067 Dex module - Cross Site Scripting, no longer maintained

security-news at drupal.org security-news at drupal.org
Wed Sep 30 19:29:37 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-067
  * Project: Dex: Contact Information Manager (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-Sept-30
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Dex: Contact Information Manager module enables contact information
management with Google Maps and Yahoo Maps compatible geocoding. The module
suffers from a Cross Site Scripting (XSS) vulnerability. Such an attack may
lead to a malicious user gaining full administrative access. This module is
no longer maintained. The releases have been unpublished and it is
recommended that it be disabled and uninstalled if in use.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Dex versions 6.x up to and including 6.x-1.0-rc1
  * Dex versions 5.x up to and including 5.x-1.0

Drupal core is not affected. If you do not use the contributed Dex module,
there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

There is no solution available. It is recommended that you disable and
uninstall the Dex module if is in use on your site.
-------- REPORTED BY  
---------------------------------------------------------

  * Reported by Stéphane Corlosquet [1] of the Drupal security team.

-------- HANDLED BY  
----------------------------------------------------------

  * On behalf of Drupal security team, this SA has been handled by Peter
    Wolanin [2], Stéphane Corlosquet [3] and Jakub Suchy [4]

-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] drupal.org/user/52142
[2] http://drupal.org/user/49851
[3] drupal.org/user/52142
[4] http://drupal.org/user/31977

More information about the Security-news mailing list