Facebook Like Button - Moderately Critical - XSS

* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Facebook Like Button (third-party module)
* Version: 7.x
* Date: 2017-August-09
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module provides a Facebook Like button on node pages and blocks.
The module does not sufficiently sanitize output when configured to use
custom css rules.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer fblikebutton".

VERSIONS AFFECTED

* Facebook Like Button 7.x-2.x versions prior to 7.x-2.6.

Drupal core is not affected. If you do not use the contributed Facebook Like
Button module, there is nothing you need to do.

SOLUTION

Install the latest version:

* If you use the fblikebutton module for Drupal 7.x, upgrade to Facebook
like button 7.x-2.6

Also see the Facebook Like Button project page: https://www.drupal.org/project/fblikebutton

Add new comment