Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-2008-056
- Project: Simplenews (third-party module)
- Versions: 5.x, 6.x
- Date: 2008-September-24
- Security risk: Not Critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Simplenews publishes and sends newsletters to lists of subscribers. Newsletter categories are not always properly escaped. This allows users with the "administer taxonomy" permission to add arbitrary HTML and script code to the site. Wikipedia has more information about such cross site scripting (XSS) attacks.
- Versions of Simplenews for Drupal 5.x prior to 5.x-1.5
- Versions of Simplenews for Drupal 6.x prior to 6.x-1.0-beta4
Drupal core is not affected. If you do not use the Simplenews module, there is nothing you need to do.
Install the latest version.
- If you use Simplenews for Drupal 5.x upgrade to Simplenews 5.x-1.5
- If you use Simplenews for Drupal 6.x upgrade to Simplenews 6.x-1.0-beta 4
Note: Beta and development versions are not recommended for use on production sites.
Also see the Simplenews project page.
- The module maintainer Erik Stielstra (Sutharsan)
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.