by Elliot Christenson on November 1, 2017 - 3:16pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Autologout module to fix a Cross Site Scripting (XSS) vulnerability.

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module does not sufficiently filter user-supplied text that is shown when logging a user out. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

NOTE: This only affects the Autologout 6.x-4.x branch -- the 6.x-2.x branch (which we also support) isn't vulnerable.

If you have a Drupal 6 site using the Autologout module, we recommend you update immediately.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Want to read more articles like this?

myDropWizard.com blog Subscribe to the myDropWizard.com blog and recieve e-mail updates when new articles are published!

Add comment

o