• Advisory ID: DRUPAL-SA-CONTRIB-2009-079
  • Project: vCard module (third-party module)
  • Version: 6.x, 5.x
  • Date: 2009-October-21
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The vCard module adds a vCard download link to every user's profile. This link makes it easy to add users from a Drupal site to a local address book. When the theme_vcard() function is added to a theme and default content from the vCard module is output, the site will be vulnerable to Cross Site Scripting attack (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.

Versions affected

  • vCard module versions 6.x prior to 6.x-1.3
  • vCard module versions 5.x prior to 5.x-1.4

Drupal core is not affected. If you do not use the contributed vCard module, there is nothing you need to do.


Install the latest version:

See also the vCard module project page.

Reported by

John Morahan

Fixed by

sanduhrs, the module maintainer.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.