• Advisory ID: DRUPAL-SA-2007-008
  • Project: Image Pager (third-party module)
  • Version: 4.7.x-1.x-dev, 5.x-1.x-dev
  • Date: 2007-02-15
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting


The Image Pager module uses JavaScript to collect selected images from a page and display them one at a time in a block with previous/next pager links.

HTML entities are decoded by the DOM functions used by Image Pager before being reinserted into the web page for display. As a result, a malicious user who is allowed to use the IMG tag can execute a cross site scripting attack (XSS). This may lead to administrator access if certain conditions are met.

Learn more about XSS on Wikipedia.

Disabling the Image Pager module provides an immediate workaround. All images will continue to be displayed, just not in the Image Pager block. Restricting the use of the IMG tag to trusted users is an alternative workaround.

Versions affected

  • Image Pager 4.7.x-1.x-dev prior to 2007-02-08
  • Image Pager 5.x-1.x-dev prior to 2007-02-08

Drupal core is not affected. If you do not use the contributed Image Pager module, there is nothing you need to do.


Install the latest version:

See also the Image Pager project page.

Reported by

Barry Jaspan (bjaspan) from the Drupal security team.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.