• Advisory ID: DRUPAL-SA-CONTRIB-2009-111
  • Project: Randomizer (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-December-09
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The Randomizer module assists researchers and students who want an easy way to perform random sampling or assign participants to experimental conditions. It accepts form input as parameters for generating a pseudo-random list of numbers. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability.

Versions affected

  • Randomizer module 5.x-1.0 and prior versions
  • Randomizer module 6.x-1.0 and prior versions

Drupal core is not affected. If you do not use the contributed Randomizer module, there is nothing you need to do.


The Randomizer module is not maintained and there is no direct solution. Disable the module.

Reported by


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.