Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 281925 - Drupal module "flag" 6.x-1.1 allows for XSS
Summary: Drupal module "flag" 6.x-1.1 allows for XSS
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://lampsecurity.org/drupal-flag-m...
Whiteboard: B4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-18 15:30 UTC by Chris Rogers
Modified: 2009-08-18 18:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Rogers 2009-08-18 15:30:47 UTC 
Line 708 of flag.views.inc is not properly sanitized, allowing an attacker with administrative privileges, or access to the database, to create a flag that allows XSS.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-18 18:06:45 UTC 
Chris, thanks for the report. However, the flag module is not part of the www-apps/drupal package and thus Gentoo doesn't ship it. Unless my research was wrong, there's nothing we can do. Otherwise please reopen.