~ 1 min read

Advanced Poll 6.x versions โ€“ XSS Vulnerability

share this story on
Disclosing a Cross-site Scripting vulnerability in the Advanced Poll module for Drupal.

During the weekend I discovered an XSS issue with the Advanced Poll module. Iโ€™ve made sure to provide a patch and submit this to the issue queue.

I have actually submitted a few other SAs in the past, one of them was for the nice_dash module, which aims to provide a dashboard interface for Drupal administrators, but unfortunately it wasnโ€™t yet merged to source control.

Drupal Security Advistory โ€“ XSS vulnerability in Advanced Poll module versions 6.x-3.x and prior
Project: Advanced Poll (third-party module)

Version: 6.x-3.x and earlier

Date: 2013-10-25

Security risk: Highly critical

Exploitable from: Remote

Vulnerability: Cross Site Scripting 

This module enables you to create advanced types of polls, such as binary and ranking poll, as the module calls them. The module did not sufficiently filter poll question titles for malicious JavaScript. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit polls.

Versions affected
Advanced Poll 6.x-3.x and all prior versions

Solution
Apply the patch

Reported by
Liran Tal <liran.tal@gmail.com>

Fixed by
Liran Tal  <liran.tal@gmail.com>