icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Drupal Devel module < 6.x-1.22 Cross-Site Scripting Vulnerability

Medium

Synopsis

The remote web server is hosting a web application that is vulnerable to a cross-site scripting attack.

Description

The remote web server hosts a Drupal install that uses the Devel module, a performance logging component.

Versions of the Drupal Devel module earlier than 6.x-1.22 are potentially affected by a cross-site scripting vulnerability because the application fails to properly sanitize URLs comprised of node paths. A remote attacker with the ability to to add URL aliases could exploit this flaw to execute arbitrary script code in a user's browser.

Solution

Upgrade to Drupal Devel module 6.x-1.22 or later.