- Advisory ID: DRUPAL-SA-CONTRIB-2011-006
- Project: Flag page (third-party module)
- Version: 6.x
- Date: 2011-February-02
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The contributed flag page module provides an additional flag type to allow you to flag pages so you can bookmark any URL on your site including views, panels, administration pages or site contact page. The module does not sanitize the flag titles when displayed in blocks, leading to a Cross-Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the user must have the "administer flags" permission in order to create and edit flags and enter the XSS.
Versions affected
- Flag page module 6.x-2.x versions prior to 6.x-2.2
- Flag page module 6.x-1.x versions prior to 6.x-1.3
Note: If you do not use the contributed flag_page module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Flag page module for Drupal 6.x-2.x upgrade to Flag Page 6.x-2.2
- If you use the Flag page module for Drupal 6.x-1.x upgrade to Flag Page 6.x-1.3
See also the Flag page project page.
Reported by
Fixed by
- Balazs Dianiska (snufkin)
- Alex Pott, module maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.