- Advisory ID: DRUPAL-SA-CONTRIB-2009-103
- Project: Strongarm (third-party module)
- Version: 6.x
- Date: 2009 November 18
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values.
When using the settings page to see overridden variables, the value field is not sanitized before being displayed, leading to a Cross Site Scripting (XSS) vulnerability.
- Strongarm module for Drupal 6.x prior to Strongarm 6.x-1.1
Drupal core is not affected. If you do not use the contributed Strongarm module, there is nothing you need to do.
Upgrade to the latest version:
- If you use Strongarm module for Drupal 6.x upgrade to version 6.x-1.1
- Reported by bengtan
- Fixed by jmiccolis, the module maintainer
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.