- Advisory ID: DRUPAL-SA-CONTRIB-2009-035
- Project: Booktree (third-party module)
- Version: 5.x, 6.x
- Date: 2009-June-10
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
Booktree takes as input a series of Book nodes and create a tree-like structure using Book node relationships.The Booktree module does not properly escape node title and node body on tree root pages. A user with privileges to create book pages could attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access.
Versions affected
- Booktree for Drupal 5.x prior to Booktree 5.x-7.3
- Booktree for Drupal 6.x prior to Booktree 6.x-1.1
Drupal core is not affected. If you do not use the contributed Booktree module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Booktree for Drupal 5.x upgrade to Booktree 5.x-7.3
- If you use Booktree for Drupal 6.x upgrade to Booktree 6.x-1.1
See also the Booktree project page.
Reported by
Stéphane Corlosquet of the Drupal Security Team.
Fixed by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.