Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2012-069
- Project: Addressbook (third-party module)
- Version: 6.x
- Date: 2012-May-02
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection
This module contains a simple addressbook.
The module has multiple issues including SQL Injection and Cross Site Request Forgery.
For the SQL Injection issue -
For the CSRF issue -
- 6.x-4.2 and before
Drupal core is not affected. If you do not use the contributed Addressbook module, there is nothing you need to do.
This module is not supported. Uninstall the module.
Also see the Addressbook project page.
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.