Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2007-5621

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-22 Oct, 2007 | 19:00
Updated At-07 Aug, 2024 | 15:39
Rejected At-
Credits

Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:22 Oct, 2007 | 19:00
Updated At:07 Aug, 2024 | 15:39
Rejected At:
▼CVE Numbering Authority (CNA)

Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://osvdb.org/38073
vdb-entry
x_refsource_OSVDB
https://exchange.xforce.ibmcloud.com/vulnerabilities/37275
vdb-entry
x_refsource_XF
http://drupal.org/node/184336
x_refsource_CONFIRM
http://secunia.com/advisories/27291
third-party-advisory
x_refsource_SECUNIA
Hyperlink: http://osvdb.org/38073
Resource:
vdb-entry
x_refsource_OSVDB
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/37275
Resource:
vdb-entry
x_refsource_XF
Hyperlink: http://drupal.org/node/184336
Resource:
x_refsource_CONFIRM
Hyperlink: http://secunia.com/advisories/27291
Resource:
third-party-advisory
x_refsource_SECUNIA
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://osvdb.org/38073
vdb-entry
x_refsource_OSVDB
x_transferred
https://exchange.xforce.ibmcloud.com/vulnerabilities/37275
vdb-entry
x_refsource_XF
x_transferred
http://drupal.org/node/184336
x_refsource_CONFIRM
x_transferred
http://secunia.com/advisories/27291
third-party-advisory
x_refsource_SECUNIA
x_transferred
Hyperlink: http://osvdb.org/38073
Resource:
vdb-entry
x_refsource_OSVDB
x_transferred
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/37275
Resource:
vdb-entry
x_refsource_XF
x_transferred
Hyperlink: http://drupal.org/node/184336
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://secunia.com/advisories/27291
Resource:
third-party-advisory
x_refsource_SECUNIA
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:22 Oct, 2007 | 19:46
Updated At:29 Jul, 2017 | 01:33

Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
The Drupal Association
drupal
>>asin_field_module>>*
cpe:2.3:a:drupal:asin_field_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>4.7
cpe:2.3:a:drupal:drupal:4.7:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>5.0
cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>5.1
cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>5.2
cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
The Drupal Association
drupal
>>e-commerce_module>>*
cpe:2.3:a:drupal:e-commerce_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>fullname_field_for_cck>>*
cpe:2.3:a:drupal:fullname_field_for_cck:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>invite_module>>*
cpe:2.3:a:drupal:invite_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>node_relativity_module>>*
cpe:2.3:a:drupal:node_relativity_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>pathauto_module>>*
cpe:2.3:a:drupal:pathauto_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>paypal_node_module>>*
cpe:2.3:a:drupal:paypal_node_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>token_module>>Versions up to 1.4(inclusive)
cpe:2.3:a:drupal:token_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>token_module>>Versions up to 1.8(inclusive)
cpe:2.3:a:drupal:token_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>ubercart_module>>*
cpe:2.3:a:drupal:ubercart_module:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://drupal.org/node/184336cve@mitre.org
Patch
http://osvdb.org/38073cve@mitre.org
N/A
http://secunia.com/advisories/27291cve@mitre.org
Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/37275cve@mitre.org
N/A
Hyperlink: http://drupal.org/node/184336
Source: cve@mitre.org
Resource:
Patch
Hyperlink: http://osvdb.org/38073
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://secunia.com/advisories/27291
Source: cve@mitre.org
Resource:
Patch
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/37275
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6574Records found
CVE-2009-1249
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.56%
||
7 Day CHG~0.00%
Published-06 Apr, 2009 | 16:00
Updated-17 Sep, 2024 | 03:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-feedapi_mapperdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-5096
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.68%
||
7 Day CHG~0.00%
Published-13 Sep, 2011 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter.

Action-Not Available
Vendor-khalid_baheyeldinn/aThe Drupal Association
Product-drupalflag_contentn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-0575
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.20%
||
7 Day CHG~0.00%
Published-13 Feb, 2009 | 17:00
Updated-07 Aug, 2024 | 04:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the theme_views_bulk_operations_confirmation function in views_bulk_operations.module in Views Bulk Operations 5.x before 5.x-1.3 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to node titles. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-views_bulk_operationsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6135
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.56%
||
7 Day CHG~0.00%
Published-14 Feb, 2009 | 02:00
Updated-07 Aug, 2024 | 11:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-everyblogdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6835
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.20%
||
7 Day CHG~0.00%
Published-27 Jun, 2009 | 18:00
Updated-16 Sep, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-peter_wolaninn/aThe Drupal Association
Product-drupalopenidn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-4524
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.68%
||
7 Day CHG~0.00%
Published-31 Dec, 2009 | 19:00
Updated-07 Aug, 2024 | 07:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a realname (aka real name) element.

Action-Not Available
Vendor-nancy_wichmannn/aThe Drupal Association
Product-realnamedrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-3783
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.20%
||
7 Day CHG~0.00%
Published-26 Oct, 2009 | 17:00
Updated-07 Aug, 2024 | 06:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vector.

Action-Not Available
Vendor-sjoerd_arendsenn/aThe Drupal Association
Product-drupalsimplenews_statisticsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-3651
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.68%
||
7 Day CHG~0.00%
Published-09 Oct, 2009 | 14:18
Updated-07 Aug, 2024 | 06:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the "Monitor browsers' feature in Browscap before 5.x-1.1 and 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.

Action-Not Available
Vendor-mikeryann/aThe Drupal Association
Product-browscapdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-3479
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 50.14%
||
7 Day CHG~0.00%
Published-30 Sep, 2009 | 15:00
Updated-16 Sep, 2024 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary web script or HTML via a title.

Action-Not Available
Vendor-ron_jeromen/aThe Drupal Association
Product-bibliographydrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-2370
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.68%
||
7 Day CHG~0.00%
Published-08 Jul, 2009 | 15:00
Updated-16 Sep, 2024 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-michelle_coxn/aThe Drupal Association
Product-advanced_forumdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6413
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.20%
||
7 Day CHG~0.00%
Published-06 Mar, 2009 | 11:00
Updated-07 Aug, 2024 | 11:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Answers module 5.x-1.x-dev and possibly other 5.x versions, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a Simple Answer to a question.

Action-Not Available
Vendor-ticklespacen/aThe Drupal Association
Product-answers_moduledrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6275
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.20%
||
7 Day CHG~0.00%
Published-25 Feb, 2009 | 23:00
Updated-07 Aug, 2024 | 11:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the User Karma module 5.x before 5.x-1.13 and 6.x before 6.x-1.0-beta1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified messages.

Action-Not Available
Vendor-n/aJoomla!The Drupal Association
Product-joomla\!user_karma_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1611
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 62.36%
||
7 Day CHG~0.00%
Published-30 Jan, 2014 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field.

Action-Not Available
Vendor-anonymous_posting_projectn/aThe Drupal Association
Product-anonymous_postingdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-31160
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-6.79% / 90.94%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 00:00
Updated-22 Apr, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Action-Not Available
Vendor-jqueryuijQuery (OpenJS Foundation)NetApp, Inc.The Drupal AssociationFedora ProjectDebian GNU/Linux
Product-debian_linuxh500sjquery_uih410s_firmwareh700s_firmwareh500s_firmwareh300s_firmwareh410c_firmwarefedorah410sjquery_ui_checkboxradioh410ch300sh700soncommand_insightjquery-ui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1607
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 58.34%
||
7 Day CHG~0.00%
Published-26 Jan, 2014 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6533
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 65.29%
||
7 Day CHG~0.00%
Published-26 Mar, 2009 | 20:28
Updated-07 Aug, 2024 | 11:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-25276
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-1.24% / 78.45%
||
7 Day CHG~0.00%
Published-26 Apr, 2023 | 00:00
Updated-03 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-1916
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 52.55%
||
7 Day CHG~0.00%
Published-22 Apr, 2008 | 00:00
Updated-07 Aug, 2024 | 08:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-rc1 module for Drupal allow remote attackers to inject arbitrary web script or HTML via text fields intended for the (1) address and (2) order information, which are later displayed on the order view page and unspecified other administrative pages, a different vulnerability than CVE-2008-1428.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-ubercart_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4596
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 54.61%
||
7 Day CHG~0.00%
Published-17 Oct, 2008 | 21:00
Updated-07 Aug, 2024 | 10:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Shindig-Integrator 5.x, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in generated pages.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-shindig-integratorn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4149
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 63.90%
||
7 Day CHG~0.00%
Published-19 Sep, 2008 | 18:00
Updated-07 Aug, 2024 | 10:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-link_to_usn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4147
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.24%
||
7 Day CHG~0.00%
Published-19 Sep, 2008 | 18:00
Updated-07 Aug, 2024 | 10:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-mailsaven/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4710
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 52.55%
||
7 Day CHG~0.00%
Published-23 Oct, 2008 | 17:00
Updated-07 Aug, 2024 | 10:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupalstock_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41183
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-2.36% / 84.31%
||
7 Day CHG~0.00%
Published-26 Oct, 2021 | 00:00
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in `*Text` options of the Datepicker widget

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

Action-Not Available
Vendor-jqueryuijQuery (OpenJS Foundation)Oracle CorporationNetApp, Inc.Tenable, Inc.The Drupal AssociationFedora ProjectDebian GNU/Linux
Product-peoplesoft_enterprise_peopletoolsjquery_uiprimavera_gatewayh300s_firmwareh410c_firmwareh410spolicy_automationbanking_platformh300sagile_plmh300e_firmwareh500efedorah500s_firmwareh500e_firmwaredrupalcommunications_interactive_session_recorderh700eapplication_expressh300ecommunications_operations_monitorrest_data_servicesh500shospitality_suite8tenable.schospitality_inventory_managementdebian_linuxweblogic_serverh410s_firmwaremysql_enterprise_monitorh700s_firmwareh410ch700e_firmwarebig_data_spatial_and_graphh700sjd_edwards_enterpriseone_toolsjquery-ui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-3740
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.65% / 69.90%
||
7 Day CHG~0.00%
Published-27 Aug, 2008 | 15:00
Updated-07 Aug, 2024 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-6388
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 52.55%
||
7 Day CHG~0.00%
Published-24 Dec, 2013 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-3218
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 63.40%
||
7 Day CHG~0.00%
Published-18 Jul, 2008 | 16:00
Updated-07 Aug, 2024 | 09:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

Action-Not Available
Vendor-n/aFedora ProjectThe Drupal Association
Product-fedoradrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5938
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.24%
||
7 Day CHG~0.00%
Published-25 Sep, 2013 | 14:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a confirmation form.

Action-Not Available
Vendor-click2selln/aThe Drupal Association
Product-drupalclick2sell_suite_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5964
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.1||LOW
EPSS-0.23% / 45.89%
||
7 Day CHG~0.00%
Published-30 Sep, 2013 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title.

Action-Not Available
Vendor-joachim_noreikon/aThe Drupal Association
Product-flag_moduledrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41182
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-26.48% / 96.13%
||
7 Day CHG~0.00%
Published-26 Oct, 2021 | 00:00
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in the `altField` option of the Datepicker widget

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

Action-Not Available
Vendor-jqueryuijQuery (OpenJS Foundation)Oracle CorporationNetApp, Inc.Tenable, Inc.The Drupal AssociationFedora ProjectDebian GNU/Linux
Product-peoplesoft_enterprise_peopletoolsprimavera_unifierjquery_uih410c_firmwareh300s_firmwareh410spolicy_automationbanking_platformh300sagile_plmh300e_firmwareh500efedorah500s_firmwareh500e_firmwaredrupalcommunications_interactive_session_recorderh700eapplication_expressh300ecommunications_operations_monitorrest_data_servicesh500shospitality_materials_controlhospitality_suite8tenable.schospitality_inventory_managementdebian_linuxweblogic_serverh410s_firmwaremysql_enterprise_monitorh700s_firmwareh410ch700e_firmwarebig_data_spatial_and_graphh700sjd_edwards_enterpriseone_toolsjquery-ui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-3219
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.66% / 70.31%
||
7 Day CHG~0.00%
Published-18 Jul, 2008 | 16:00
Updated-07 Aug, 2024 | 09:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

Action-Not Available
Vendor-n/aFedora ProjectThe Drupal Association
Product-fedoradrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4138
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.21% / 43.37%
||
7 Day CHG~0.00%
Published-28 Aug, 2013 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Hatch theme 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with the "Administer content," "Create new article," or "Edit any article type content" permission to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-alienwpn/aThe Drupal Association
Product-drupalhatchn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4383
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.21% / 43.37%
||
7 Day CHG~0.00%
Published-31 Jan, 2014 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-dennis_bruecken/aThe Drupal Association
Product-jquery_countdowndrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4380
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.23% / 45.89%
||
7 Day CHG~0.00%
Published-20 May, 2014 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings.

Action-Not Available
Vendor-mediafrontn/aThe Drupal Association
Product-drupalmediafrontn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4274
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.23% / 45.89%
||
7 Day CHG~0.00%
Published-28 Aug, 2013 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the password_policy_admin_view function in password_policy.admin.inc in the Password Policy module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer policies" permission to inject arbitrary web script or HTML via the "Password Expiration Warning" field to the admin/config/people/password_policy/add page.

Action-Not Available
Vendor-erikwebbn/aThe Drupal Association
Product-drupalpassword_policyn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4174
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.55% / 66.81%
||
7 Day CHG~0.00%
Published-19 Aug, 2013 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Scald module 7.x-1.x before 7.x-1.1 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) flash_uri, (2) flash_width, or (3) flash_height in the scald_flash_scald_prerender function in providers/scald_flash/scald_flash.module; or the (4) caption in the scald_image_scald_prerender function in providers/scald_image/scald_image.module.

Action-Not Available
Vendor-owsn/aThe Drupal Association
Product-drupalscaldn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41184
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-29.90% / 96.48%
||
7 Day CHG~0.00%
Published-26 Oct, 2021 | 00:00
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in the `of` option of the `.position()` util

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

Action-Not Available
Vendor-jqueryuijQuery (OpenJS Foundation)Oracle CorporationNetApp, Inc.Tenable, Inc.The Drupal AssociationFedora Project
Product-peoplesoft_enterprise_peopletoolsprimavera_unifierjquery_uih300s_firmwareh410c_firmwareh410spolicy_automationbanking_platformh300sagile_plmh300e_firmwareh500efedorah500s_firmwareh500e_firmwaredrupalcommunications_interactive_session_recorderh700eapplication_expressh300ecommunications_operations_monitorrest_data_servicesh500shospitality_materials_controlhospitality_suite8tenable.schospitality_inventory_managementweblogic_serverh410s_firmwareh700s_firmwareh410ch700e_firmwarebig_data_spatial_and_graphh700sjd_edwards_enterpriseone_toolsjquery-ui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13672
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.62% / 68.97%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 15:30
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13688
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.32% / 54.16%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 15:08
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13673
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 47.83%
||
7 Day CHG-0.04%
Published-11 Feb, 2022 | 15:35
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.

Action-Not Available
Vendor-The Drupal Association
Product-entity_embedEntity Embed
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13669
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 66.08%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 15:25
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-2998
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 51.59%
||
7 Day CHG~0.00%
Published-03 Jul, 2008 | 17:47
Updated-07 Aug, 2024 | 09:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupalaggregation_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13668
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.57% / 67.77%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 15:15
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Access bypass in Drupal Core 8/9

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13666
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.34% / 55.83%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 13:50
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-1780
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.35% / 57.02%
||
7 Day CHG~0.00%
Published-27 Mar, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Best Responsive Theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.

Action-Not Available
Vendor-devsarann/aThe Drupal Association
Product-drupalbest_responsiven/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-2715
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.1||LOW
EPSS-0.25% / 48.46%
||
7 Day CHG~0.00%
Published-27 Mar, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name.

Action-Not Available
Vendor-thomas_seidln/aThe Drupal Association
Product-drupalsearch_apin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-1887
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.28% / 51.19%
||
7 Day CHG~0.00%
Published-27 Mar, 2013 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields.

Action-Not Available
Vendor-views_projectn/aThe Drupal Association
Product-drupalviewsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-1971
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.16% / 37.20%
||
7 Day CHG~0.00%
Published-25 Jun, 2013 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file.

Action-Not Available
Vendor-jordan_de_launen/aThe Drupal Association
Product-drupalmp3_playern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-1786
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.23% / 45.89%
||
7 Day CHG~0.00%
Published-27 Mar, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-devsarann/aThe Drupal Association
Product-drupalcompanyn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-2773
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 51.59%
||
7 Day CHG~0.00%
Published-18 Jun, 2008 | 22:00
Updated-07 Aug, 2024 | 09:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Taxonomy Image module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-taxonomy_image_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-1783
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.1||LOW
EPSS-0.35% / 57.02%
||
7 Day CHG~0.00%
Published-27 Mar, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-devsarann/aThe Drupal Association
Product-drupalbusinessn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 131
  • 132
  • Next
Details not found