- Advisory ID: DRUPAL-SA-CONTRIB-2009-088
- Project: Workflow (third-party module)
- Version: 6.x, 5.x
- Date: 2009-October-28
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Workflow module enables sites to define flexible process management systems. Names of workflows and workflow states are not sanitised to display as plain text, leading to a Cross Site Scripting (XSS) vulnerability. Exploiting this vulnerability would allow a malicious user to gain full administrative access.
Mitigating factors: A malicious user would need 'administer workflow' permission to carry out the cross-site-scripting attack.
Versions affected
- Workflow module versions Drupal 6.x prior to Workflow 6.x-1.2
- Workflow module versions Drupal 5.x prior to Workflow 5.x-2.4
Drupal core is not affected. If you do not use the contributed Workflow module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the Workflow module for Drupal 6.x upgrade to Workflow 6.x-1.2
- If you use the Workflow module for Drupal 5.x upgrade to Workflow 5.x-2.4
Reported by
Fixed by
jvandyk, the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.