Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-080
- Project: Simplenews Statistics (third-party module)
- Version: 6.x
- Date: 2009 October 21
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities (XSS, CSRF, Open Redirect)
The Simplenews Statistics module provides newsletter statistics such as the open rate and CTR (click-through rate).
The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF), Cross Site Scripting problem (Cross Site Scripting) and Open Redirect. This problem allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page.
- Simplenews Statistics 6.x prior to 6.x-2.0
Drupal core is not affected. If you do not use the contributed Simplenews Statistics module, there is nothing you need to do.
Upgrade to the latest version:
- If you use Simplenews Statistics for Drupal 6.x upgrade to version 6.x-2.0
- Open redirect vulnerability reported by John Pettitt
- XSS and CSRF vulnerability reported by Dylan Wilder-Tack
- Fixed by Sjoerd Arendsen.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.