SA-CONTRIB-2012-039 - Language Icons - Cross Site Scripting (XSS)

CVE: CVE-2012-2065

The Language icons module adds icons to language links generated by the Locale and Content Translation modules in core.
The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer languages”.

Versions affected

• Language icons 6.x-2.x versions prior to 6.x-2.1.
• Language icons 7.x-1.x versions prior to 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Language icons module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Language icons module for Drupal 6.x, upgrade to Language icons 6.x-2.1
• If you use the Language icons module for Drupal 7.x, upgrade to Language icons 7.x-1.0

See also the Language icons project page.

Reported by

• Jose Reyero the original module author
• Frederik “Freso” S. Olesen the current module maintainer

Fixed by

• Frederik “Freso” S. Olesen the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team