• Advisory ID: DRUPAL-SA-CONTRIB-2012-027
  • Project: Submenu Tree (third-party module)
  • Version: 6.x
  • Date: 2012-February-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

CVE: CVE-2012-1651

The Submenu Tree module allows sufficiently privileged users to show a
list of menu entries when displaying a node.

The module does not sanitize some of the user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS)
vulnerability.

The vulnerability is mitigated by the fact that a malicious user must
be assigned a role that includes permissions to edit the Drupal menus.

Versions affected

  • Submenu Tree versions prior to 6.x-1.5

Drupal core is not affected. If you do not use the contributed Submenu Tree module,
there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Submenu Tree module, there is nothing you need to do.

Solution

Install the latest version:

Please also see the Submenu Tree project
page
.

See also the Submenu Tree project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.