• Advisory ID: DRUPAL-SA-CONTRIB-2010-090
  • Project: Yr Weatherdata (third-party module)
  • Version: 6.x
  • Date: 2010-September-08
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection


The Yr Weatherdata module displays weather forecasts, and enables users with the proper permission to set the sort method. When setting the sorting method the module does not filter the value input by the user correctly. This vulnerability can be exploited to perform an SQL Injection attack.

Versions affected

  • Yr Weatherdata module for Drupal 6.x before version 6.x-1.6

Drupal core is not affected. If you do not use the contributed Yr Weatherdata module, there is nothing you need to do.


Install the latest version:

See also the Yr Weatherdata project page.

Reported by

  • Fredrik Kilander (tjodolv), module maintainer

Fixed by

  • Fredrik Kilander (tjodolv), module maintainer


The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.