Date:
Wednesday, Apr 16th, 2025
Advisory ID:
BACKDROP-SA-CONTRIB-2025-011
Security risk:
Moderately Critical
Vulnerability:
Cross Site Scripting
Versions affected:
- Flag versions prior to 1.x-3.6.2
Description:
Flag module allows flags to be added to nodes, comments, users, and any other type of entity.
The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format.
A CVE has been requested, and this page will be updated as soon as an official number has been issued.
Solution:
Upgrade your site to the most recent version of Flag module.
Reported By:
Fixed By:
- Herb v/d Dool module maintainer
- Jen Lampton of the Backdrop CMS Security Team
- Nate Lampton of the Backdrop CMS Security Team
- David Snopek
- Neil Drumm of the Drupal Security Team
- Yonatan Offek
- Joachim Noreiko
- Ra Mänd of the Drupal Security Team
Coordinated By:
- Jen Lampton of the Backdrop CMS Security Team
- Herb v/d Dool