Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-2006-018
- Project: Pathauto 4.6, 4.7
- Date: 2006-Sep-05
- Security risk: less critical
- Exploitable from: remote
- Vulnerability: Cross site scripting
It is possible for a malicious user to execute XSS (Cross Site Scripting) by enticing a victim to click on a specially crafted link. This may lead to administrator access if certain conditions are met.
Learn more about XSS on Wikipedia.
Please check the CVS $Id$ fields in the file pathauto_node.inc to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable:
- Drupal 4.6 - /* $Id: pathauto_node.inc,v 22.214.171.124 2006/08/30 19:16:25 greggles Exp $ */
- Drupal 4.7 - /* $Id: pathauto_node.inc,v 126.96.36.199 2006/08/30 20:29:16 greggles Exp $ */
Drupal core is not affected. If you do not use pathauto, there is nothing you need to do.
Install the latest version:
See also the pathauto project page.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.