CVE-2005-3973
Drupal 4.5.0-4.5.5 and 4.6.0-4.6.3 - Cross-Site Scripting via HTML Tag Injection
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allow remote attackers to inject arbitrary web script or HTML via various HTML tags and values, such as the (1) legend tag and the value parameter used in (2) label and (3) input tags, possibly due to an incomplete blacklist.
References (8)
Core 8
Core References
Various Sources x_refsource_misc
http://drupal.org/files/sa-2005-007/4.6.3.patch
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2684
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/15677
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2006/dsa-958
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/418292/100/0/threaded
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/files/sa-2005-007/advisory.txt
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/18630
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/17824
Scores
EPSS
0.0060
EPSS Percentile
69.8%
Details
Status
published
Products (10)
drupal/drupal
4.5.0
drupal/drupal
4.5.1
drupal/drupal
4.5.2
drupal/drupal
4.5.3
drupal/drupal
4.5.4
drupal/drupal
4.5.5
drupal/drupal
4.6.0
drupal/drupal
4.6.1
drupal/drupal
4.6.2
drupal/drupal
4.6.3
Published
Dec 03, 2005
Tracked Since
Feb 18, 2026