• Advisory ID: DRUPAL-SA-CONTRIB-2009-062
  • Project: Devel (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-September-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The Devel module contains many useful developer functions, such as a query log and the display of variables. When using the variable editor, the module does not properly sanitize the output of the variable name before display, leading to a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.

Versions affected

  • Devel versions 6.x prior to 6.x-1.18
  • Devel versions 5.x prior to 5.x-1.2

Drupal core is not affected. If you do not use the contributed Devel module, there is nothing you need to do.


Install the latest version:

See also the Devel module project page.

Reported by

Stéphane Corlosquet of the Drupal Security Team

Fixed by

dmitrig01 of the Drupal Security Team


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.