On line 1143 the $_GET['q'] is printed without check_plain. Opens an attack for inserting markup and javascript through the URL.

Comments

Jorrit’s picture

Status: Active » Fixed

Fixed in 5.x-2.x and 6.x-1.x.

Status: Fixed » Closed (fixed)
Issue tags: -security

Automatically closed -- issue fixed for 2 weeks with no activity.