Vulners
Lucene search
Drupal 5 / 6 / 7 Cross Site Scripting
🗓️ 25 Jun 2014 00:00:00Reported by Richard CliffordType 
packetstorm🔗 packetstormsecurity.com👁 19 Views
`Hi,
There is a persistent XSS in Drupal versions 5.x, 6.x and 7.x ( I have not
yet tested Drupal 8.x due to not being fully released ).
The function which is vulnerable is the watchdog() function, where the
$message parameter does not get sanitized and you can pass through
arbitrary code to be executed on the clients browser.
This can be exploited if a module/theme/hook call directly calls the
watchdog function. You could pass in a simple:
<script>alert(document.domain);</script> or whatever payload you wish.
For example, you could hijack the admin's browser using something like BeEF
framework or similar tools.
A simple way to fix this bug would be to wrap the $message htmlentities().
Thanks.
Richard Clifford.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Jun 2014 00:00Current
0.2Low risk
Vulners AI Score0.2