- Advisory ID: DRUPAL-SA-CONTRIB-2010-009
- Project: Block Class (third-party module)
- Version: 6.x-1.2, 5.x-1.1
- Date: 2010-January-20
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
Block Class module allows users to add classes to any block through the block's configuration interface. This release includes a fix for a cross-site scripting (XSS) vulnerability through which JavaScript could be inserted in the class field of a block's configuration interface.
Versions affected
- Block Class module 5.x-1.1 and prior versions
- Block Class module 6.x-1.2 and prior versions
Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Block Class module for Drupal 5.x upgrade to Block Class 5.x-1.2
- If you use the Block Class module for Drupal 6.x upgrade to Block Class 6.x-1.3
See also the Block Class page.
Reported by
Fixed by
Didrik Nordström and Todd Nienkerk.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.