CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
65.8%
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not “prevent use of the object HTML tag in administrator input,” which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
Vendor | Product | Version | CPE |
---|---|---|---|
drupal | drupal | * | cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* |
fedoraproject | fedora | 8 | cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:* |
fedoraproject | fedora | 9 | cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:* |
drupal.org/node/280571
secunia.com/advisories/31079
www.openwall.com/lists/oss-security/2008/07/10/3
www.securityfocus.com/bid/30168
bugzilla.redhat.com/show_bug.cgi?id=454849
exchange.xforce.ibmcloud.com/vulnerabilities/43701
www.redhat.com/archives/fedora-package-announce/2008-August/msg00016.html
www.redhat.com/archives/fedora-package-announce/2008-July/msg00527.html
www.redhat.com/archives/fedora-package-announce/2008-July/msg00551.html