- Advisory ID: DRUPAL-SA-2008-022
- Project: Flickr (third-party module)
- Version: 5.x, 6.x
- Date: 2008-April-02
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The Flickr module allows one to access photos on one's site via the Flickr API. The module provides a filter for inserting photos and photosets and blocks for a user's recent photos and photosets. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages.
Versions affected
- Flickr for Drupal 5.x prior to 5.x-1.3
- Flickr for Drupal 6.x prior to 6.x-1.0-alpha
Drupal core is not affected. If you do not use the contributed Flickr module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal 5.x install Flickr 5.x-1.3.
- If you use Drupal 6.x install Flickr 6.x-1.0-alpha1.
See also the Flickr project page.
Reported by
Kees Cook reported this issue.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.