• Advisory ID: DRUPAL-SA-CONTRIB-2010-095
  • Project: Lightbox2 (third-party module)
  • Version: 5.x, 6.x
  • Date: 2010-September-22
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass, Cross-Site Scripting


The Lightbox2 module enables images to be overlaid on the current page using JavaScript. The module displays images above the page instead of within it, freeing the page design from layout constraints and keeping users on the same page.

The module does not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability which can be used by a malicious user to gain full administrative access.

The Lightbox2 module also enables Embedded Media Field and Acidfree videos to be displayed in a modal popup. In some cases checks on the user's field level access to the source video were not carried out correctly, allowing direct queries to the backend URL resulting in the display of videos which the user would otherwise be unable to access.

Versions affected

  • Lightbox2 module for Drupal 6.x versions prior to 6.x-1.10
  • Lightbox2 module for Drupal 5.x versions prior to 5.x-2.10

Drupal core is not affected. If you do not use the contributed Lightbox2 module there is nothing you need to do.


Install the latest version:

See also the Lightbox2 project page.

Reported by

Fixed by


The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.