------------SA-2008-022 - FLICKR - CROSS SITE SCRIPTING------------
* Advisory ID: DRUPAL-SA-2008-022
* Project: Flickr (third-party module)
* Version: 5.x, 6.x
* Date: 2008-April-02
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
------------DESCRIPTION------------
The Flickr module allows one to access photos on one's site via the Flickr API. The module provides a filter for inserting photos and photosets and blocks for a user's recent photos and photosets. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages.
------------VERSIONS AFFECTED------------
* Flickr for Drupal 5.x prior to 5.x-1.3
* Flickr for Drupal 6.x prior to 6.x-1.0-alpha
Drupal core is not affected. If you do not use the contributed Flickr module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* If you use Drupal 5.x install Flickr 5.x-1.3 [
http://drupal.org/node/241943 ].
* If you use Drupal 6.x install Flickr 6.x-1.0-alpha1. [
http://drupal.org/node/241941 ]
See also the Flickr project page [
http://drupal.org/project/flickr ].
------------REPORTED BY------------
Kees Cook [
https://wiki.ubuntu.com/KeesCook ] reported this issue.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].
Aanmelden
Registreren
FAQ
Zoeken
