• Advisory ID: DRUPAL-SA-CONTRIB-2009-048
  • Project: Bibliography Module (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-July-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The Bibliography module (Biblio) allows users to manage and display lists of scholarly publications. The module contains a cross site scripting vulnerability because it does not properly sanitize output of titles before display. A user who has the permission to create content displayed by the Bibliography module could attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access.

Versions affected

  • Bibliography Module versions 6.x prior to 6.x-1.6
  • Bibliography Module versions 5.x prior to 5.x-1.17

Drupal core is not affected. If you do not use the contributed Bibliography module, there is nothing you need to do.


Install the latest version:

See also the Bibliography Module project page.

Reported by

Justin Klein Keane.

Fixed by

Justin Klein Keane and Ron Jerome (the Bibliography module maintainer).


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.