Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-062
- Project: Devel (third-party module)
- Version: 5.x, 6.x
- Date: 2009-September-23
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Devel module contains many useful developer functions, such as a query log and the display of variables. When using the variable editor, the module does not properly sanitize the output of the variable name before display, leading to a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
- Devel versions 6.x prior to 6.x-1.18
- Devel versions 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the contributed Devel module, there is nothing you need to do.
Install the latest version:
- If you use the Devel for Drupal 6.x upgrade to Devel 6.x-1.18
- If you use the Devel for Drupal 5.x upgrade to Devel 5.x-1.2
See also the Devel module project page.
Stéphane Corlosquet of the Drupal Security Team
dmitrig01 of the Drupal Security Team
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.