CVE-2006-0070
Drupal - Cross-Site Scripting via Encoded JavaScript in IMG Tag
Title source: llmDescription
Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420683/100/0/threaded
Exploit, Vendor Advisory mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420671/100/0/threaded
Scores
EPSS
0.0066
EPSS Percentile
71.3%
Details
Status
published
Products (2)
drupal/drupal
4.5.6
drupal/drupal
4.6.4
Published
Jan 04, 2006
Tracked Since
Feb 18, 2026