Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-2006-021
- Project: Site Profile Directory
- Date: 2006-Sep-20
- Security risk: less critical
- Exploitable from: remote
- Vulnerability: cross site scripting
It is possible for a malicious user to insert and execute XSS (Cross Site Scripting), due to lack of validation on output. This may lead to administrator access if certain conditions are met.
Learn more about XSS on Wikipedia.
Drupal core is not affected. If you do not use the Site Profile Directory module there is nothing you need to do.
If you are running Site Profile Directory, please check the CVS $Id$ fields on the second line of the file profile_pages.module to determine whether the version you are running is vulnerable. Versions lacking this field or older than the following are vulnerable:
- Drupal 4.6 - // $Id: profile_pages.module,v 22.214.171.124 2006/09/14 07:00:14 heine Exp $
- Drupal 4.7 - // $Id: profile_pages.module,v 126.96.36.199 2006/09/14 09:08:58 heine Exp $
Install the latest version:
See also the Site Profile Directory project page.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.