• Advisory ID: DRUPAL-SA-CONTRIB-2009-103
  • Project: Strongarm (third-party module)
  • Version: 6.x
  • Date: 2009 November 18
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values.
When using the settings page to see overridden variables, the value field is not sanitized before being displayed, leading to a Cross Site Scripting (XSS) vulnerability.

Versions affected

Drupal core is not affected. If you do not use the contributed Strongarm module, there is nothing you need to do.


Upgrade to the latest version:

  • If you use Strongarm module for Drupal 6.x upgrade to version 6.x-1.1

Reported by

Fixed by


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.