| Vulnerability Name: | CVE-2010-2472 (CCN-171436) | ||||||||||||
| Assigned: | 2010-03-03 | ||||||||||||
| Published: | 2010-03-03 | ||||||||||||
| Updated: | 2019-11-13 | ||||||||||||
| Summary: | Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | ||||||||||||
| CVSS v3 Severity: | 4.8 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-79 | ||||||||||||
| Vulnerability Consequences: | Cross-Site Scripting | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2010-2472 Source: XF Type: UNKNOWN drupal-locale-cve20102472-xss(171436) Source: MISC Type: Third Party Advisory https://security-tracker.debian.org/tracker/CVE-2010-2472 Source: CCN Type: SA-CORE-2010-001 Drupal core - Multiple vulnerabilities Source: CONFIRM Type: Patch, Vendor Advisory https://www.drupal.org/node/731710 Source: MLIST Type: Mailing List, Third Party Advisory MLIST: [oss-security] 20100628 Re: CVE Request -- Drupal v6.16 / v5.22 SA-CORE-2010-001 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||