• Advisory ID: DRUPAL-SA-CONTRIB-2009-038
  • Project: Nodequeue (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-June-10
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities


The Nodequeue module enables an administrator to arbitrarily put nodes in a group for some purpose, such as providing a listing of nodes or featuring a particular node. It suffers from a cross-site scripting (XSS) vulnerability due to not properly sanitizing vocabulary names before they are displayed. Additionally, the module does not respect node access restrictions when displaying node titles.

Versions affected

  • Nodequeue for Drupal 5.x prior to Nodequeue 5.x-2.7
  • Nodequeue for Drupal 6.x prior to Nodequeue 6.x-2.2

Drupal core is not affected. If you do not use the contributed Nodequeue module, there is nothing you need to do.


Upgrade to the latest version:

See also the Nodequeue project page.

Reported by

Fixed by


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.