Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-111
- Project: Randomizer (third-party module)
- Version: 5.x, 6.x
- Date: 2009-December-09
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Randomizer module assists researchers and students who want an easy way to perform random sampling or assign participants to experimental conditions. It accepts form input as parameters for generating a pseudo-random list of numbers. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability.
- Randomizer module 5.x-1.0 and prior versions
- Randomizer module 6.x-1.0 and prior versions
Drupal core is not affected. If you do not use the contributed Randomizer module, there is nothing you need to do.
The Randomizer module is not maintained and there is no direct solution. Disable the module.
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.