6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
7.5 High
AI Score
Confidence
Low
0.034 Low
EPSS
Percentile
91.5%
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with “post comments” privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by “normal form validation routines.”
archives.neohapsis.com/archives/bugtraq/2007-01/0670.html
drupal.org/node/113935
osvdb.org/32136
secunia.com/advisories/23960
secunia.com/advisories/23990
www.securityfocus.com/bid/22306
www.vbdrupal.org/forum/showthread.php?t=786
www.vupen.com/english/advisories/2007/0406
www.vupen.com/english/advisories/2007/0415
exchange.xforce.ibmcloud.com/vulnerabilities/31940