- Advisory ID: DRUPAL-SA-CONTRIB-2010-092
- Project: Advanced Book Blocks (third-party module)
- Version: 6.x
- Date: 2010-September-15
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Cross Site Request Forgery
Description
The Advanced Book Blocks module enables you to integrate with the API provided by the JQuery Menu module (version 1.8 and higher) to provide click and expand book menus with the ability to customize each block individually.
The module contained Cross Site Scripting vulnerabilities which could allow a malicious user with one of several non-default permissions to inject arbitrary javascript into the administrative pages provided by this module.
The module also contained Cross Site Request Forgery vulnerabilities which could allow an attacker to trick an administrator into unintentionally deleting or resetting blocks provided by this module.
Versions affected
- Advanced Book Blocks module for Drupal 6.x versions prior to 6.x-2.2
Drupal core is not affected. If you do not use the contributed Advanced Book Blocks module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Advanced Book Blocks module for Drupal 6.x upgrade to Advanced Book Blocks 6.x-2.2
See also the Advanced Book Blocks.
Reported by
- Matt Chapman, of the Drupal Security Team.
Fixed by
- Aaron Hawkins, the module maintainer.
- Matt Chapman, of the Drupal Security Team.
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.