В модуле Pathauto обнаружена возможность выполнеия XSS. Затронутые версия старше 30 августа 2006. Рекомендуется скачать новые версии модуля.

------------PATHAUTO CROSS SITE SCRIPTING VULNERABILITY------------

* Advisory ID: DRUPAL-SA-2006-018

* Project: Pathauto 4.6, 4.7

* Date: 2006-Sep-05

* Security risk: less critical

* Exploitable from: remote

* Vulnerability: Cross site scripting

------------DESCRIPTION------------

It is possible for a malicious user to execute XSS (Cross Site Scripting) by
enticing a victim to click on a specially crafted link. This may lead to
administrator access if certain conditions are met.
Learn more about XSS on Wikipedia
[http://en.wikipedia.org/wiki/Cross_site_scripting].

------------VERSIONS AFFECTED------------

Please check the CVS $Id$ fields in the file pathauto_node.inc to determine
whether the version you are running is vulnerable. Versions older than the
following are vulnerable:

* Drupal 4.6 - /* $Id: pathauto_node.inc,v 1.14.2.1 2006/08/30 19:16:25
greggles Exp $ */

* Drupal 4.7 - /* $Id: pathauto_node.inc,v 1.17.2.1 2006/08/30 20:29:16
greggles Exp $ */

Drupal core is not affected. If you do not use pathauto, there is nothing you
need to do.

------------SOLUTION------------

Install the latest version:

* Pathauto for Drupal 4.6
[http://ftp.osuosl.org/pub/drupal/files/projects/pathauto-4.6.0.tar.gz].

* Pathauto for Drupal 4.7
[http://ftp.osuosl.org/pub/drupal/files/projects/pathauto-4.7.0.tar.gz].