• Advisory ID: DRUPAL-SA-CONTRIB-2010-004
  • Project: Node Block (third-party module)
  • Version: 6.13, 5.11
  • Date: 2010-January-13
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


This module allows you to specify content type(s) as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access will see region and weight options on the node form.

The Node Block module creates a block from specified content type(s). Node block doesn't properly escape titles allowing users with permissions to create/edit the specified content type(s) to inject arbitrary code into the site. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.

Versions affected

  • Node Blocks module 5.x-1.1 and prior versions
  • Node Blocks module 6.x-1.3 and prior versions

Drupal core is not affected. If you do not use the contributed Feed Block module, there is nothing you need to do.


Install the latest version:

See also the Node Block project page.

Reported by

Martin Barbella and Khalid Baheyeldin

Fixed by

Thomas Turnbull.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.