• Advisory ID: DRUPAL-SA-CONTRIB-2010-002
  • Project: Currency Exchange (third-party module)
  • Version: 6.x
  • Date: 2010-January-6
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


This module provides a site with the ability to display currency exchange rates. The module does not sanitize some of the user-supplied data before logging it to the watchdog, leading to a cross-site scripting (XSS) vulnerability.

Versions affected

  • Currency Exchange version prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Currency Exchange module, there is nothing you need to do.


Install the latest version: upgrade to Currency Exchange 6.x-1.2.

See also the Currency Exchange module project page.

Reported by


Fixed by

mr.baileys and kbahey one of the module's maintainers.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.