Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-038
- Project: Nodequeue (third-party module)
- Version: 5.x, 6.x
- Date: 2009-June-10
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
The Nodequeue module enables an administrator to arbitrarily put nodes in a group for some purpose, such as providing a listing of nodes or featuring a particular node. It suffers from a cross-site scripting (XSS) vulnerability due to not properly sanitizing vocabulary names before they are displayed. Additionally, the module does not respect node access restrictions when displaying node titles.
- Nodequeue for Drupal 5.x prior to Nodequeue 5.x-2.7
- Nodequeue for Drupal 6.x prior to Nodequeue 6.x-2.2
Drupal core is not affected. If you do not use the contributed Nodequeue module, there is nothing you need to do.
Upgrade to the latest version:
- If you use Nodequeue for Drupal 5.x upgrade to Nodequeue 5.x-2.7
- If you use Nodequeue for Drupal 6.x upgrade to Nodequeue 6.x-2.2
See also the Nodequeue project page.
- The XSS issue was reported by Justin C. Klein Keane.
- The access bypass issue was reported by Ezra Barnett Gildesgame.
- The XSS issue was fixed by Justin C. Klein Keane.
- The access bypass issue was fixed by Ezra Barnett Gildesgame and Earl Miles.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.