• Advisory ID: DRUPAL-SA-2008-056
  • Project: Simplenews (third-party module)
  • Versions: 5.x, 6.x
  • Date: 2008-September-24
  • Security risk: Not Critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting


Simplenews publishes and sends newsletters to lists of subscribers. Newsletter categories are not always properly escaped. This allows users with the "administer taxonomy" permission to add arbitrary HTML and script code to the site. Wikipedia has more information about such cross site scripting (XSS) attacks.

Versions Affected

  • Versions of Simplenews for Drupal 5.x prior to 5.x-1.5
  • Versions of Simplenews for Drupal 6.x prior to 6.x-1.0-beta4

Drupal core is not affected. If you do not use the Simplenews module, there is nothing you need to do.


Install the latest version.

Note: Beta and development versions are not recommended for use on production sites.

Also see the Simplenews project page.

Reported by

  • The module maintainer Erik Stielstra (Sutharsan)


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.