• Advisory ID: DRUPAL-SA-2006-021
  • Project: Site Profile Directory
  • Date: 2006-Sep-20
  • Security risk: less critical
  • Exploitable from: remote
  • Vulnerability: cross site scripting


It is possible for a malicious user to insert and execute XSS (Cross Site Scripting), due to lack of validation on output. This may lead to administrator access if certain conditions are met.
Learn more about XSS on Wikipedia.

Versions affected

Drupal core is not affected. If you do not use the Site Profile Directory module there is nothing you need to do.

If you are running Site Profile Directory, please check the CVS $Id$ fields on the second line of the file profile_pages.module to determine whether the version you are running is vulnerable. Versions lacking this field or older than the following are vulnerable:

  • Drupal 4.6 - // $Id: profile_pages.module,v 2006/09/14 07:00:14 heine Exp $
  • Drupal 4.7 - // $Id: profile_pages.module,v 2006/09/14 09:08:58 heine Exp $


Install the latest version:

See also the Site Profile Directory project page.

Reported by

Ben Reser


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.