Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-2007-008
- Project: Image Pager (third-party module)
- Version: 4.7.x-1.x-dev, 5.x-1.x-dev
- Date: 2007-02-15
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
HTML entities are decoded by the DOM functions used by Image Pager before being reinserted into the web page for display. As a result, a malicious user who is allowed to use the IMG tag can execute a cross site scripting attack (XSS). This may lead to administrator access if certain conditions are met.
Disabling the Image Pager module provides an immediate workaround. All images will continue to be displayed, just not in the Image Pager block. Restricting the use of the IMG tag to trusted users is an alternative workaround.
- Image Pager 4.7.x-1.x-dev prior to 2007-02-08
- Image Pager 5.x-1.x-dev prior to 2007-02-08
Drupal core is not affected. If you do not use the contributed Image Pager module, there is nothing you need to do.
Install the latest version:
See also the Image Pager project page.
Barry Jaspan (bjaspan) from the Drupal security team.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.