• Advisory ID: DRUPAL-SA-CONTRIB-2010-005
  • Project: Own Term (third-party module)
  • Version: 6.x-1.0
  • Date: 2010-January-13
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The Own Term module allows users to create taxonomy terms in a designated vocabulary and when creating content this term is automatically added to the node.

The module does not sanitize the term description on a term listing page which opens a cross-site scripting (XSS) attack. Users with a role containing the permission 'create additional terms' can exploit this vulnerability.

Versions affected

  • Own Term module 6.x-1.0

Drupal core is not affected. If you do not use the contributed Own Term module, there is nothing you need to do.


Install the latest version:

See also the Own Term project page.

Reported by

Benjamin Jeavons, Own Term module comaintainer.

Fixed by

Benjamin Jeavons, Own Term module comaintainer.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.