Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2010-021
- Project: AddThis Button (third-party module)
- Version: 6.x, 5.x
- Date: 2010-March-03
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The AddThis module provides an easy way to share content to over 230 supported services such as Facebook, Email and Twitter. The module did not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability. Only users with the 'administer addthis' permission were able to exploit this vulnerability.
Drupal core is not affected. If you do not use the contributed AddThis Button module, there is nothing you need to do.
Install the latest version:
- If you use AddThis Button for Drupal 5.x upgrade to AddThis Button 6.x-2.9.
- If you use AddThis Button for Drupal 6.x upgrade to AddThis Button 5.x-2.2.
See also the AddThis Button project page.
- Vesa Palmu (wesku), the module maintainer.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.