3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
CVE: CVE-2012-2065
The Language icons module adds icons to language links generated by the Locale and Content Translation modules in core.
The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer languages”.
Drupal core is not affected. If you do not use the contributed Language icons module, there is nothing you need to do.
Install the latest version:
See also the Language icons project page.
drupal.org/contact
drupal.org/node/1482136
drupal.org/node/1482144
drupal.org/project/languageicons
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/27504
drupal.org/user/36762
drupal.org/user/4299
drupal.org/writing-secure-code
en.wikipedia.org/wiki/Cross-site_scripting