Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-053
- Project: Ajax Table (third-party module)
- Version: 5.x
- Date: 2009-Aug-26
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
The Ajax Table module allows one to create AJAX-refreshable tables by supplying a few parameters.
The module lacks access checks, which makes it possible for any user to delete arbitrary users and nodes. The module contains a number of security issues.
Cross site scripting
The module doesn't escape certain user supplied values. Malicious users can use this to insert arbitrary HTML and script content into pages. Such a cross site scripting attack may even lead to the malicious user gaining administrator access.
- Ajax Table for Drupal 5.x
Drupal core is not affected. If you do not use the contributed Ajax Table module, there is nothing you need to do.
There is no solution available. Please disable the module and remove it from your server.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.