Yonatan Offek

**Name of the Vulnerable Software and Affected Versions** Drupal Form Builder versions 7.X-1.0 through 7.X-1.22 **Description** A flaw exists in Drupal Form Builder that allows for Cross-Site Scripting (XSS). This issue is due to improper neutralization of input during web page generation. Successful exploitation could allow an attacker to inject malicious scripts into web pages viewed by other users. **Recommendations** Update Drupal Form Builder to a version later than 7.X-1.22.

**Name of the Vulnerable Software and Affected Versions** Backdrop CMS Flag module versions prior to 1.x-3.6.2 **Description** A Cross-Site Scripting issue was discovered in the Flag module for Backdrop CMS. The module does not verify flag links before performing the flag action, or verify that the response returned was provided by the flag module, allowing crafted HTML to result in Cross Site Scripting. This issue is mitigated by the fact that an attacker must have a role with permission to create links on the website. **Recommendations** For Backdrop CMS Flag module versions prior to 1.x-3.6.2, update to version 1.x-3.6.2 or later to resolve the issue. As a temporary workaround, consider restricting the permission to create links on the website to minimize the risk of exploitation.