- Advisory ID: DRUPAL-SA-CONTRIB-2010-075
- Project: Tagging (third-party module)
- Version: 6.x
- Date: 2010-July 21
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Tagging module provides an alternative input widget and other features for taxonomy terms.
The module does not properly escape user-provided content submitted to free-tagging vocabularies displayed on node previews, leading to a Cross Site Scripting (XSS) vulnerability. Any user with permission to create or edit a node containing a free-tagging vocabulary is vulnerable to attack.
Versions affected
- Tagging module for Drupal 6.x versions prior to 6.x-2.4.
Drupal core is not affected. If you do not use the contributed Tagging module, there is nothing you need to do.
Solution
Install the latest version:
- Upgrade to Tagging 6.x-2.4
See also the Tagging project page.
Reported by
- Mike Stefanello
- Barry Jaspan of the Drupal security team
Fixed by
- Eugen Mayer, module maintainer
- Mike Stefanello
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.