- Advisory ID: SA-2008-033
- Project: Taxonomy Image (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-June-11
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The contributed module Taxonomy Image allows the display of images associated with taxonomy terms.
Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages (Cross Site Scripting). This may lead to administrator access.
Versions affected
- Taxonomy Image for Drupal 5.x before Taxonomy Image 5.x-1.3
- Taxonomy Image for Drupal 6.x before Taxonomy Image 6.x-1.3
Drupal core is not affected. If you do not use the contributed Taxonomy Image module, there is nothing you need to do.
Solution
Install the latest version:
- If you currently use Taxonomy Image 5.x-1.x upgrade to Taxonomy Image 5.x-1.3
- If you currently use Taxonomy Image 6.x-1.x upgrade to Taxonomy Image 6.x-1.3
See also the Taxonomy Image project page.
Reported by
Owen Barton (Grugnog2).
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.