• Advisory ID: DRUPAL-SA-2008-022
  • Project: Flickr (third-party module)
  • Version: 5.x, 6.x
  • Date: 2008-April-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

The Flickr module allows one to access photos on one's site via the Flickr API. The module provides a filter for inserting photos and photosets and blocks for a user's recent photos and photosets. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages.

Versions affected

  • Flickr for Drupal 5.x prior to 5.x-1.3
  • Flickr for Drupal 6.x prior to 6.x-1.0-alpha

Drupal core is not affected. If you do not use the contributed Flickr module, there is nothing you need to do.

Solution

Install the latest version:

See also the Flickr project page.

Reported by

Kees Cook reported this issue.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.