• Advisory ID: DRUPAL-SA-CONTRIB-2009-104
  • Project: Feed Element Mapper (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-November-18
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags, or the author name, to taxonomy or CCK fields. These mappings are configurable by a point and click interface. When configuring the mapping, some values coming from external feeds are not sanitized before they are displayed, leading to a Cross Site Scripting (XSS)

Versions affected

Drupal core is not affected. If you do not use the contributed Feed Element Mapper module, there is nothing you need to do.


Upgrade to the latest version:

  • If you use Feed Element Mapper module for Drupal 6.x upgrade to version 6.x-1.3
  • If you use Feed Element Mapper module for Drupal 5.x upgrade to version 5.x-1.3

If you use one of the unsupported Feed element mapper 6.x-2.0 alpha versions, upgrade to Feed Element Mapper 6.x-1.0-alpha4.

Reported by

  • Reported by Jose Reyero, from the Drupal Security Team

Fixed by

  • Fixed by alex_b, the module maintainer


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.