Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-066
- Project: Shindig-Integrator (third-party module)
- Versions: 5.x
- Date: 2008-October-15
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
Shindig-Integrator integrates the open social Shindig container with Drupal.
The module contains numerous flaws. Among them are the following issues.
- Malicious users are able to insert arbitrary HTML and script code into certain module generated pages. Such a Cross site scripting vulnerability can be used to gain administrator access.
- The module fails to restrict access to module generated pages.
Versions Affected
- All versions of Shindig-Integrator
Drupal core is not affected. If you do not use the Shindig-Integrator module, there is nothing you need to do.
Solution
There is no solution available. Please disable the module and remove it from your site.
Reported by
- The vulnerability was reported by Tony Mobily (mercmobily)
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.