CVE-2006-4949
Drupal Site Profile Directory Module - Cross-Site Scripting via Name and Title Parameters
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the Drupal 4.6 Site Profile Directory (profile_pages.module) before 1.1.2.1 and the Drupal 4.7 Site Profile Directory (profile_pages.module) before 1.2.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "lack of validation on output," possibly in the name and title parameters.
References (5)
Core 5
Core References
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3714
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/29029
Various Sources x_refsource_confirm
http://drupal.org/node/85048
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/22035
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29061
Scores
EPSS
0.0042
EPSS Percentile
61.8%
Details
Status
published
Products (1)
drupal/site_profile_directory_module
Published
Sep 23, 2006
Tracked Since
Feb 18, 2026