Date
Severity
Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-1.12

Description

The Facebook Wall module fetches posts and comments from a configured Facebook page via the Graph API and renders them in a Drupal page or block.

The module doesn't sanitize text content or URLs returned by the Facebook API before writing them to the page — including post messages, story text, link titles, captions, descriptions, commenter names, comment bodies, and all image and hyperlink URLs. A secondary issue causes the Facebook application secret and exchange token to be transmitted as URL query parameters when refreshing the long-lived access token, exposing those credentials to server access logs.

This vulnerability is mitigated by the fact that exploitation requires an attacker to control content on the specific Facebook page configured in the module — either as a page administrator or, more commonly, as any Facebook user permitted to comment on that page's posts.

Solution

Install the latest version.

If you use the Facebook Wall module for Drupal 7, upgrade to facebook_wall 7.x-1.12:


Reported by

Fixed by

  • Tag1 D7ES

Coordinated by

  • Tag1 D7ES