• Advisory ID: DRUPAL-SA-CONTRIB-2009-021
  • Project: CCK comment reference (third-party module)
  • Version: 6.x
  • Date: 2009 April 15
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site scripting (XSS)


CCK comment reference project, lets administrators define node fields that are references to comments. When displaying a node edit form, the titles of candidate referenced comments are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.

Versions affected

  • Versions of CCK comment reference for Drupal 6.x prior to 6.x-1.2

Drupal core is not affected. If you do not use the CCK comment reference module, there is nothing you need to do.


Install the latest version:

See also the CCK comment reference project page.

Reported by

Kristof De Jaeger (swentel).

Fixed by

Kristof De Jaeger (swentel).


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.