Description
The Flag module allows site administrators to create customizable flags that users can set on content entities such as nodes, comments, and users.
The module did not enforce any limit on how frequently an authenticated user could perform flagging operations. An attacker with a user account and flag permissions could script repeated flag/unflag cycles to generate a large volume of database writes, artificially distort flag counters visible to other users, and cause performance degradation or denial of service.
This vulnerability is mitigated by the fact that an attacker must have a valid user account with explicit flagging permissions for the targeted flag.
Solution
Install the latest version.
If you use the Flag module for Drupal 7, upgrade to flag 7.x-3.11:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES