Good morning,
Could a CVE please be assigned to http://seclists.org/fulldisclosure/2014/May/44 if one has not been already?
Apart from version 7, drupal6-flag-2.1-1.fc20 looks affected - patch applies, but I did not test it. For an older version, drupal6-flag-1.3-3.fc19 appears unaffected.
Cheers,
–
Murray McAllister / Red Hat Security Response Team