• Advisory ID: DRUPAL-SA-CONTRIB-2009-047
  • Project: Calendar (third-party module)
  • Version: 6.x
  • Date: 2009-July-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

The Calendar module enables Views module to display any Date module date field as a calendar. The module does not properly escape user input when displaying titles of content types that have Date fields. A user with permission to create new content types (including via the Date module's Date Tools sub-module) could attempt a cross site scripting (XSS) attack, leading to the user gaining full administrative access.

Versions affected

  • Calendar for Drupal 6.x prior to 6.x-2.2

Drupal core is not affected. If you do not use the contributed Calendar module, there is nothing you need to do.

Solution

Upgrade to the latest version:

See also the Calendar project page.

Reported by

Justin C. Klein Keane

Fixed by

Justin C. Klein Keane

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.