Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
On line 1143 the $_GET['q'] is printed without check_plain. Opens an attack for inserting markup and javascript through the URL.
Comments
Comment #1
Jorrit CreditAttribution: Jorrit commentedFixed in 5.x-2.x and 6.x-1.x.