SA-CONTRIB-2009-076 - Flag Content Cross Site Scripting

By kbahey on 21 Oct 2009 at 18:28 UTC

Advisory ID: SA-CONTRIB-2009-076
Project: Flag Content (third-party module)
Version: 5.x
Date: 2009-October-21
Security risk: Moderately Critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting

Description

The Flag Content module enables users to flag nodes and users for the attention of a site maintainer (e.g. for abuse, spam, trolling, ...etc.). In some specific cases, the module does not sanitize before outputting the Reason field, resulting in a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.

Versions affected

Flag Content 5.x-2.x prior to 5.x-2.10

Drupal core is not affected. If you do not use the contributed Flag Content module, there is nothing you need to do.

Solution

Install the latest version:

If you use Flag Content module for Drupal 5.x upgrade to Flag Content 5.x-2.10

Reported by

patPrzybilla.

Fixed by

kbahey, the module maintainer.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

SA-CONTRIB-2009-076 - Flag Content Cross Site Scripting

Description

Versions affected

Solution

Reported by

Fixed by

Contact

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community