• Advisory ID: DRUPAL-SA-2006-018
  • Project: Pathauto 4.6, 4.7
  • Date: 2006-Sep-05
  • Security risk: less critical
  • Exploitable from: remote
  • Vulnerability: Cross site scripting


It is possible for a malicious user to execute XSS (Cross Site Scripting) by enticing a victim to click on a specially crafted link. This may lead to administrator access if certain conditions are met.
Learn more about XSS on Wikipedia.

Versions affected

Please check the CVS $Id$ fields in the file pathauto_node.inc to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable:

  • Drupal 4.6 - /* $Id: pathauto_node.inc,v 2006/08/30 19:16:25 greggles Exp $ */
  • Drupal 4.7 - /* $Id: pathauto_node.inc,v 2006/08/30 20:29:16 greggles Exp $ */

Drupal core is not affected. If you do not use pathauto, there is nothing you need to do.


Install the latest version:

See also the pathauto project page.

Reported by

Erdem Köse


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.