• Advisory ID: DRUPAL-SA-CONTRIB-2010-017
  • Project: iTweak Upload (third-party module)
  • Version: 6.x
  • Date: 2010 February 17
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


iTweak Upload does not escape file names when displaying uploaded files. This allows a malicious user with the permission to create content and upload files to perform a Cross Site Scripting (XSS) attack.

Versions affected

  • iTweak Upload 6.x-2.x prior to 6.x-2.3
  • iTweak Upload 6.x-1.x prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed iTweak Upload module, there is nothing you need to do.


Install the latest version:

See also the iTweak Upload project page.

Reported by

  • Mark Piper

Fixed by

  • iva2k, the iTweak Upload module maintainer.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.