Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 UTC on 18 March 2024, to get $100 off your ticket.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-073
- Projects: Multiple third party modules - Simple Gallery, OG Menu, Tell A Friend Node, JsMath For Displaying Mathematics With TeX
- Version: 5.x, 6.x
- Date: 2010-July-14
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple (Cross Site Scripting, Email Header Injection)
Versions affected and proposed solutions
- Simple Gallery for Drupal 6.x
- This module creates a simple gallery using taxonomy and CCK imagefields. The module is vulnerable to a Cross Site Scripting (XSS) attack. This can be exploited by users with the ability to add taxonomy terms or tag content.
Solution: Disable the module. There is no safe version of the module to use.
- OG Menu for Drupal 6.x
- Enables users to manage menus by Organic Groups. The module is vulnerable to a Cross Site Scripting (XSS) attack which can be exploited by users with the "administer og menu" permission .
Solution: Disable the module. There is no safe version of the module to use. Update: Version 6.x-2.1 has been released and fixes the issue.
- Tell A Friend Node for Drupal 6.x
- This module provides a Tell A Friend node type for creating multiple tell a friend pages on a site. The module is vulnerable to email header injection attacks by spam bots and can be abused by any user with the "access tellafriend nodes" permission.
Solution: Disable the module. There is no safe version of the module to use.
- JsMath For Displaying Mathematics With TeX for Drupal 5.x and 6.x
- This module enables the jsMath script for displaying mathematical expressions. The module is vulnerable to a Cross Site Scripting (XSS) attack. This vulnerability can only be exploited by users with the "access administration pages" permission.
Solution: Disable the module. There is no safe version of the module to use.
Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do.
Ongoing Maintenance of these modules
If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process.
Reported by
- Simple Gallery issue reported by Owen Barton of the Drupal Security Team
- OG Menu issue reported by Justin C. Klein Keane
- Tell A Friend Node issue reported by James McDonald
- JsMath For Displaying Mathematics With TeX issue reported by Kyle Small
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at http://drupal.org/security.