SA-CONTRIB-2010-009 - Block Class - Cross Site Scripting

2010-01-2000:00:00

Drupal Security Team

www.drupal.org

JSON

Block Class module allows users to add classes to any block through the block’s configuration interface. This release includes a fix for a cross-site scripting (XSS) vulnerability through which JavaScript could be inserted in the class field of a block’s configuration interface.

Versions affected

Block Class module 5.x-1.1 and prior versions
Block Class module 6.x-1.2 and prior versions

Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Block Class module for Drupal 5.x upgrade to Block Class 5.x-1.2
If you use the Block Class module for Drupal 6.x upgrade to Block Class 6.x-1.3

Reported by

Didrik Nordström

Fixed by

Didrik Nordström and Todd Nienkerk.

References

drupal.org/contact

drupal.org/node/688622

drupal.org/node/688624

drupal.org/project/block_class

drupal.org/user/442208

drupal.org/user/92096

en.wikipedia.org/wiki/Cross-site_scripting

JSON