• Advisory ID: DRUPAL-SA-2007-032
  • Project: Shoutbox (third-party module)
  • Version: 5.x
  • Date: 2007-December-05
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

Message sent from the Shoutbox block, where visitors can quickly post short messages, are not properly sanitized in a number of cases. This allows malicious users to inject arbitrary HTML and script code into the block. Learn more about cross site scripting on Wikipedia.

Versions affected

  • Shoutbox for Drupal 5.x before Shoutbox 5.x-1.1.

Drupal core is not affected. If you do not use the contributed Shoutbox module, there is nothing you need to do.

Solution

Install the latest version:

See also the Shoutbox project page.

Reported by

Allister Beharry (allisterbeharry).

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.