XSS vulnerability fixed in Drupal module - Update
Although the Context module is a release candidate, it is nonetheless in use on many live sites, including the US President's office's White House site, which uses a "Context HTTP Headers" module that also requires the Context module. Because the module is still a release candidate, in accordance with their security policy the Drupal developers have not released an official warning, despite the fact that they do otherwise warn of vulnerabilities in third party modules.
Drupal security team member Greg Knaddison published a list of workarounds on his blog, prior to the Context developers releasing their update.
- Drupal Context Module XSS, advisory from madirish.net.
- Apache's Atlassian JIRA system compromised, a report from The H.
- WhiteHouse.gov open sources custom Drupal code, a report from The H.
- London.gov.uk switches to Drupal open source CMS, a report from The H.