Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 281925

Summary: Drupal module "flag" 6.x-1.1 allows for XSS
Product: Gentoo Security Reporter: Chris Rogers <crogers>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lampsecurity.org/drupal-flag-module-vulnerability
Whiteboard: B4 [upstream]
Package list:
Runtime testing required: ---

Description Chris Rogers 2009-08-18 15:30:47 UTC
Line 708 of flag.views.inc is not properly sanitized, allowing an attacker with administrative privileges, or access to the database, to create a flag that allows XSS.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-18 18:06:45 UTC
Chris, thanks for the report. However, the flag module is not part of the www-apps/drupal package and thus Gentoo doesn't ship it. Unless my research was wrong, there's nothing we can do. Otherwise please reopen.