During the weekend I discovered an XSS issue with the Advanced Poll module. I've made sure to provide a patch and submit this to the issue queue.

I have actually submitted a few other SAs in the past, one of them was for the nice_dash module, which aims to provide a dashboard interface for Drupal administrators, but unfortunately it wasn't yet commited.

 
Drupal Security Advistory - XSS vulnerability in Advanced Poll module versions 6.x-3.x and prior

Project: Advanced Poll (third-party module)

Version: 6.x-3.x and earlier

Date: 2013-10-25

Security risk: Highly critical

Exploitable from: Remote

Vulnerability: Cross Site Scripting 

This module enables you to create advanced types of polls, such as binary and ranking poll, as the module calls them. The module did not sufficiently filter poll question titles for malicious JavaScript. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit polls.

Versions affected

Advanced Poll 6.x-3.x and all prior versions

Solution

Apply the patch

Reported by

Liran Tal <liran.tal@gmail.com>

Fixed by

Liran Tal  <liran.tal@gmail.com>

Tags: drupaldrupal-planet