• Advisory ID: DRUPAL-SA-CONTRIB-2010-021
  • Project: AddThis Button (third-party module)
  • Version: 6.x, 5.x
  • Date: 2010-March-03
  • Security risk: Less Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The AddThis module provides an easy way to share content to over 230 supported services such as Facebook, Email and Twitter. The module did not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability. Only users with the 'administer addthis' permission were able to exploit this vulnerability.

Versions Affected

  • AddThis Button module prior to 6.x-2.9
  • AddThis Button module prior to 5.x-2.2

Drupal core is not affected. If you do not use the contributed AddThis Button module, there is nothing you need to do.


Install the latest version:

See also the AddThis Button project page.

Reported by

  • Vesa Palmu (wesku), the module maintainer
  • Dave Hansen-Lange (dalin)

Fixed by

  • Vesa Palmu (wesku), the module maintainer.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.