* Advisory ID: DRUPAL-SA-CONTRIB-2012-051
  * Project: Activity [1] (third-party module)
  * Version: 6.x
  * Date: 2012-March-28
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting, Cross Site Request Forgery

-------- DESCRIPTION  
---------------------------------------------------------

The Activity module keeps track of the things people do on your site and
provides mini-feeds of these activities in blocks, in a specialized table,
and via RSS. The module is extensible so that any other module can integrate
with it. The messages that are produced are customizable via the admin
interface and are context sensitive.

The 6.x-1.x branch of the module does not filter output of the module
settings correctly leading to a cross site scripting vulnerability (XSS). It
also does not confirm user intent when removing a single activity resulting
in a cross site request forgery vulnerability.

The XSS vulnerability is mitigated by the fact that it requires the malicious
user to have a role with the "access administration pages" and "administer
activity" permissions.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * All releases of the 6.x-1.x branch

Drupal core is not affected. If you do not use the contributed Activity [3]
module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * The 6.x-1.x branch of this module is no longer supported. Upgrade to
    6.x-2.0-alpha1 [4]

Note that there is currently no upgrade path. Users of the module are
encouraged to work in the module queue to help build an upgrade path. Also
see the Activity [5] project page.

-------- REPORTED BY  
---------------------------------------------------------

  * Ivo Van Geertruyen [6] of the Drupal Security Team

-------- COORDINATED BY  
------------------------------------------------------

  * Michael Hess [7] of the Drupal Security Team
  * Greg Knaddison [8] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].


[1] http://drupal.org/project/activity
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/activity
[4] http://drupal.org/node/944146
[5] http://drupal.org/project/activity
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/102818
[8] http://drupal.org/user/36762
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration