Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-086
- Project: OpenSocial Shindig-Integrator (third-party module)
- Version: 6.x, 5.x
- Date: 2009-October-86
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The OpenSocial Shindig-Integrator module enables sites to host OpenSocial widgets.
The module fails to sanitize user input, making it vulnerable to cross site scripting (XSS) attacks. This vulnerability is somewhat limited by the fact that an attacker would need an account with the permissions to "create application" on the site.
- OpenSocial Shindig-Integrator module for Drupal 6.x prior to OpenSocial Shindig-Integrator 6.x-2.1
- OpenSocial Shindig-Integrator module for Drupal 5.x
Drupal core is not affected. If you do not use the contributed OpenSocial Shindig-Integrator module, there is nothing you need to do.
Install the latest version or disable the module.
- If you use the OpenSocial Shindig-Integrator module for Drupal 6.x upgrade to OpenSocial Shindig-Integrator 6.x-2.1
- If you use the OpenSocial Shindig-Integrator module for Drupal 5.x, disable the module and un-install it. The 5.x branch is no longer supported.
- Tony Mobily
- Astha Bhatnagar, module maintainer.
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.