CVE-2014-3453

Name of the Vulnerable Software and Affected Versions Flag module versions 7.x-3.0 through 7.x-3.5

Description The issue allows remote authenticated administrators to execute arbitrary PHP code via the "Flag import code" text area in the /admin/structure/flags/import API endpoint. This could potentially be exploited by other attackers if the administrator ignores a security warning on the permissions assignment page.

Recommendations For Flag module versions 7.x-3.0 through 7.x-3.5, consider disabling the flag import form validate function until a patch is available to prevent exploitation. Restrict access to the /admin/structure/flags/import endpoint to minimize the risk of arbitrary PHP code execution. Avoid using the Flag import code text area in the affected endpoint until the issue is resolved.