Description
This is a port of a patched vulnerability by the Backdrop Security Team in Flag - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-011.
Flag module allows flags to be added to nodes, comments, users, and any other type of entity.
The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format.
Solution
Upgrade your site to the most recent version of Flag module.
If you use the Flag module for Drupal 7, upgrade to Flag 7.x-3.10:
Reported By
Fixed By
- Herb v/d Dool module maintainer
- Jen Lampton of the Backdrop CMS Security Team
- Nate Lampton of the Backdrop CMS Security Team
- David Snopek
- Neil Drumm of the Drupal Security Team
- Yonatan Offek
- Joachim Noreiko
- Ra Mänd of the Drupal Security Team
Coordinated By
- Jen Lampton of the Backdrop CMS Security Team
- Herb v/d Dool
- Tag1 D7ES