| Vulnerability Name: | CVE-2008-0274 (CCN-39605) | ||||||||
| Assigned: | 2008-01-10 | ||||||||
| Published: | 2008-01-10 | ||||||||
| Updated: | 2017-08-08 | ||||||||
| Summary: | Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.2 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-79 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2008-0274 Source: CCN Type: DRUPAL-SA-2008-007 Drupal core - Cross site scripting (register_globals) Source: CONFIRM Type: UNKNOWN http://drupal.org/node/208565 Source: CCN Type: SA28422 Drupal Multiple Vulnerabilities Source: SECUNIA Type: Patch 28422 Source: CCN Type: SA28486 vbDrupal Multiple Vulnerabilities Source: SECUNIA Type: UNKNOWN 28486 Source: CCN Type: OSVDB ID: 42165 Drupal Theme .tpl.php File XSS Source: BID Type: Patch 27238 Source: CCN Type: BID-27238 Drupal Prior To 4.7.11 and 5.6 Multiple Remote Vulnerabilities Source: CONFIRM Type: UNKNOWN http://www.vbdrupal.org/forum/showthread.php?p=6878 Source: CONFIRM Type: UNKNOWN http://www.vbdrupal.org/forum/showthread.php?t=1349 Source: VUPEN Type: UNKNOWN ADV-2008-0127 Source: VUPEN Type: UNKNOWN ADV-2008-0134 Source: XF Type: UNKNOWN drupal-theme-xss(39605) Source: XF Type: UNKNOWN drupal-theme-xss(39605) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||