Advisory ID: DRUPAL-SA-CONTRIB-2016-051
Project: Flag Lists (third-party module)
Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Scripting
This module enables regular users to create unlimited private flags called lists.
The flag_lists module doesn’t sufficiently filter the output when applying token strings to flag_lists links leading to a persistent Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must have a role with the “Create flag lists” permission.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
flag_lists 7.x-3.x versions prior to 7.x-3.1.
flag_lists 7.x-1.x versions prior to 7.x-1.3.
Please note that there are two different versions available of the flag_lists module. One 7.x-3.x which is used together with flag 7.x-3.x and one for the earlier flag module prior to 7.x-3.x.
Drupal core is not affected. If you do not use the contributed Flag lists module, there is nothing you need
Original URL: https://www.drupal.org/node/2796651