• Advisory ID: DRUPAL-SA-CONTRIB-2009-088
  • Project: Workflow (third-party module)
  • Version: 6.x, 5.x
  • Date: 2009-October-28
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The Workflow module enables sites to define flexible process management systems. Names of workflows and workflow states are not sanitised to display as plain text, leading to a Cross Site Scripting (XSS) vulnerability. Exploiting this vulnerability would allow a malicious user to gain full administrative access.

Mitigating factors: A malicious user would need 'administer workflow' permission to carry out the cross-site-scripting attack.

Versions affected

Drupal core is not affected. If you do not use the contributed Workflow module, there is nothing you need to do.


Install the latest version.

Reported by


Fixed by

jvandyk, the module maintainer.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.