Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-2007-016
- Project: LoginToboggan (third-party module)
- Version: 4.7.x-1.0, 4.7.x-1.x-dev, 5.x-1.x-dev
- Date: 2007-07-12
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
- LoginToboggan 4.7.x-1.0 or 4.7.x-1.x-dev prior to 2007-07-12
- LoginToboggan 5.x-1.x-dev prior to 2007-07-12
Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.
Install the latest version:
See also the LoginToboggan project page.
Disabling the "LoginToboggan logged in block" provides an immediate work-around to prevent anyone from being able to exploit these vulnerabilities remotely. The only solution for the 5.x-specific attack for users with administrator privileges is to upgrade to the official 5.x-1.0 release.
Chad Phillips (hunmonk)
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.