• Advisory ID: DRUPAL-SA-CONTRIB-2009-073
  • Project: Printer, e-mail and PDF versions (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-October-14
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities


The Printer, e-mail and PDF versions ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting (XSS) vulnerability.

In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail.

Versions affected

  • Printer, e-mail and PDF versions 6.x prior to 6.x-1.9
  • Printer, e-mail and PDF versions 5.x prior to 5.x-4.9

Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do.


Install the latest version:

Or Alternatively:
Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module.

See also the Printer, e-mail and PDF versions project page.

Reported by:


Fixed by

jcnventura, the module maintainer


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.