Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2012-027
- Project: Submenu Tree (third-party module)
- Version: 6.x
- Date: 2012-February-29
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Submenu Tree module allows sufficiently privileged users to show a
list of menu entries when displaying a node.
The module does not sanitize some of the user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS)
The vulnerability is mitigated by the fact that a malicious user must
be assigned a role that includes permissions to edit the Drupal menus.
- Submenu Tree versions prior to 6.x-1.5
Drupal core is not affected. If you do not use the contributed Submenu Tree module,
there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Submenu Tree module, there is nothing you need to do.
Install the latest version:
- If you use the Submenu Tree module upgrade to Submenu Tree 6.x-1.5
Please also see the Submenu Tree project
See also the Submenu Tree project page.
- Beng Tan, module maintainer
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.