• Advisory ID: DRUPAL-SA-CONTRIB-2009-063
  • Project: XML sitemap (third-party module)
  • Version: 5.x
  • Date: 2009-September-30
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. It also allows users with the 'administer site configuration' permission to add additional custom links to be included in the sitemap. In the additional links interface, the module does not properly sanitize the output of the link paths before display, leading to a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.

Versions affected

  • XML sitemap versions 5.x prior to 5.x-1.7

Drupal core is not affected. If you do not use the contributed XML sitemap module, there is nothing you need to do.


Install the latest version:

See also the XML sitemap module project page.

Important notes

This vulnerability was publicly disclosed. If you find a security vulnerability, please contact the Security team rather than posting a public issue. If you are a module maintainer, do not commit any security-related code fixes unless you have coordinated with the Security team.

Reported by

This vulnerability was publicly disclosed.

Fixed by

Dave Reid of the Drupal Security Team and module co-maintainer.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.