• Advisory ID: DRUPAL-SA-2007-019
  • Project: Content Construction Kit (CCK) (third-party module)
  • Version: 4.7.x-1.x, 5.x-1.x
  • Date: 2007-August-13
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting


The Content Construction Kit (CCK) allows site admins to create and customize node fields. The Nodereference module included in the CCK bundle defines fields referencing other nodes.

Two cross-site scripting (XSS) vulnerabilities were discovered :

  • when a nodereference field is displayed using the 'plain' formatter.
  • when a nodereference field is edited using the 'autocomplete text field' widget (only when _not_ using the 'advanced options - Views.module' for the field).

Versions affected

  • Nodereference (CCK - nodereference.module) 4.7.x-1.* before version 4.7.x-1.6.
  • Nodereference (CCK - nodereference.module) 5.x-1.* before version 5.x-1.6.

Drupal core is not affected. If you do not use the contributed CCK / Nodereference module, there is nothing you need to do.


Install the latest CCK release corresponding to your Drupal version: or

Disabling the Nodereference module provides an immediate workaround.

See also the CCK project page.

Reported by

Gerhard Killesreiter (killes) of the Drupal Security Team.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.