Flag Lists - Moderately Critical - Cross Site Scripting

* Advisory ID: DRUPAL-SA-CONTRIB-2016-051
* Project: Flag Lists (third-party module)
* Version: 7.x
* Date: 2016-September-07
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables regular users to create unlimited private flags called
lists.

The flag_lists module doesn't sufficiently filter the output when applying
token strings to flag_lists links leading to a persistent Cross Site
Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role
with the "Create flag lists" permission.

VERSIONS AFFECTED

* flag_lists 7.x-3.x versions prior to 7.x-3.1.
* flag_lists 7.x-1.x versions prior to 7.x-1.3.

Please note that there are two different versions available of the flag_lists
module. One 7.x-3.x which is used together with flag 7.x-3.x and one for the
earlier flag module prior to 7.x-3.x.

Drupal core is not affected. If you do not use the contributed Flag lists
module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Flag Lists
module, there is nothing you need to do.

SOLUTION

Install the latest version:

* If you use the flag_lists module for Drupal 7.x-3.x, upgrade to Flag Lists 7.x-3.1
* If you use the flag_lists module for Drupal 7.x-1.x, upgrade to Flag Lists 7.x-1.3

Also see the Flag Lists project page: https://www.drupal.org/project/flag_lists

Add new comment