Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-103
- Project: Strongarm (third-party module)
- Version: 6.x
- Date: 2009 November 18
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values.
When using the settings page to see overridden variables, the value field is not sanitized before being displayed, leading to a Cross Site Scripting (XSS) vulnerability.
Versions affected
- Strongarm module for Drupal 6.x prior to Strongarm 6.x-1.1
Drupal core is not affected. If you do not use the contributed Strongarm module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Strongarm module for Drupal 6.x upgrade to version 6.x-1.1
Reported by
- Reported by bengtan
Fixed by
- Fixed by jmiccolis, the module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
