Flag Lists – Moderately Critical – Cross Site Scripting – SA-CONTRIB-2016-051

Advisory ID: DRUPAL-SA-CONTRIB-2016-051
Project: Flag Lists (third-party module)
Version: 7.x
Date: 2016-September-07
Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Scripting
Description
This module enables regular users to create unlimited private flags called lists.
The flag_lists module doesn’t sufficiently filter the output when applying token strings to flag_lists links leading to a persistent Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must have a role with the “Create flag lists” permission.

CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
flag_lists 7.x-3.x versions prior to 7.x-3.1.
flag_lists 7.x-1.x versions prior to 7.x-1.3.
Please note that there are two different versions available of the flag_lists module. One 7.x-3.x which is used together with flag 7.x-3.x and one for the earlier flag module prior to 7.x-3.x.
Drupal core is not affected. If you do not use the contributed Flag lists module, there is nothing you need


Original URL: https://www.drupal.org/node/2796651

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: