Drupal Devel module < 6.x-1.22 Cross-Site Scripting Vulnerability
Medium Nessus Network Monitor Plugin ID 5631
SynopsisThe remote web server is hosting a web application that is vulnerable to a cross-site scripting attack.
DescriptionThe remote web server hosts a Drupal install that uses the Devel module, a performance logging component.
Versions of the Drupal Devel module earlier than 6.x-1.22 are potentially affected by a cross-site scripting vulnerability because the application fails to properly sanitize URLs comprised of node paths. A remote attacker with the ability to to add URL aliases could exploit this flaw to execute arbitrary script code in a user's browser.
SolutionUpgrade to Drupal Devel module 6.x-1.22 or later.