- Advisory ID: DRUPAL-SA-CONTRIB-2009-052
- Project: Printer, e-mail and PDF versions (Print) (third-party modules)
- Version: 5.x, 6.x
- Date: 2009-August-19
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Printer, e-mail and PDF versions ("Print") module provides printer-friendly versions of content. The module doesn't properly escape a number of user-supplied variables before output. A user who has the permission to add content could attempt a cross site scripting (XSS) attack which may in some cases lead to the user gaining full administrative access.
Versions affected
- Print versions 6.x prior to 6.x-1.8
- Print versions 5.x prior to 5.x-4.8
Drupal core is not affected. If you do not use the contributed Print module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Print module on Drupal 6.x upgrade to 6.x-1.8
- If you use the Print module on Drupal 5.x upgrade to 5.x-4.8
See also the Print module project page.
Reported by
Fixed by
João Ventura, the "Printer, e-mail and PDF versions" project maintainer, with assistance from Ben Jeavons of the Drupal Security Team
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.