CVE-2012-1646

Name of the Vulnerable Software and Affected Versions Drupal FAQ module versions 6.x-1.x before 6.x-1.13 Drupal FAQ module versions 7.x-1.x-rc1

Description The issue allows remote authenticated users to inject arbitrary web script or HTML. This is achieved via the title parameter in faq.admin.inc or the detailed question parameter in faq.module.

Recommendations For Drupal FAQ module versions 6.x-1.x before 6.x-1.13, update to version 6.x-1.13 or later. For Drupal FAQ module version 7.x-1.x-rc1, consider disabling the FAQ module until a patch is available. As a temporary workaround, restrict access to the title parameter in faq.admin.inc and the detailed question parameter in faq.module to minimize the risk of exploitation.