• Advisory ID: DRUPAL-SA-2008-055
  • Project: Stock (third-party module)
  • Versions: 6.x
  • Date: 2008-September-24
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

The stock module provides the ability to query price quotes and trading volumes from various stock markets.

An oversight in the menu permissions code allows any user to change the text of the heading at the top of the stock quotes page. As this text is not escaped, it is safe only for an administrator of the site to modify. Due to the access bypass users can add arbitrary HTML and script code to pages. Wikipedia has more information about such cross site scripting (XSS) attacks.

Versions Affected

  • Versions of Stock for Drupal 6.x prior to 6.x-1.0

Drupal core is not affected. If you do not use the Stock module, there is nothing you need to do.

Solution

Install the latest version.

Also see the Stock project page.

Reported by

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.