Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2010-017
- Project: iTweak Upload (third-party module)
- Version: 6.x
- Date: 2010 February 17
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
iTweak Upload does not escape file names when displaying uploaded files. This allows a malicious user with the permission to create content and upload files to perform a Cross Site Scripting (XSS) attack.
- iTweak Upload 6.x-2.x prior to 6.x-2.3
- iTweak Upload 6.x-1.x prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed iTweak Upload module, there is nothing you need to do.
Install the latest version:
- If you use iTweak Upload 6.x-1.x, upgrade to iTweak Upload 6.x-1.2
- If you use iTweak Upload 6.x-2.x, upgrade to iTweak Upload 6.x-2.3
See also the iTweak Upload project page.
- Mark Piper
- iva2k, the iTweak Upload module maintainer.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.