CVE-2006-2832
Drupal 4.6.x-4.6.7 and 4.7.x-4.7.1 - Cross-Site Scripting via Uploaded Filename
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename.
References (7)
Core 7
Core References
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/18245
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/435792/100/0/threaded
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2006/dsa-1125
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21244
Patch x_refsource_confirm
http://drupal.org/node/66763
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/1042
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/files/sa-2006-007/advisory.txt
Scores
EPSS
0.0053
EPSS Percentile
67.3%
Details
Status
published
Products (11)
drupal/drupal
4.6
drupal/drupal
4.6.0
drupal/drupal
4.6.1
drupal/drupal
4.6.2
drupal/drupal
4.6.3
drupal/drupal
4.6.4
drupal/drupal
4.6.5
drupal/drupal
4.6.6
drupal/drupal
4.6.7
drupal/drupal
4.7.0
... and 1 more
Published
Jun 06, 2006
Tracked Since
Feb 18, 2026