CVE-2007-0626
Drupal 4.7.0-4.7.5 - Authenticated Remote Code Execution via Comment Preview
Title source: llmDescription
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."
References (10)
Core 10
Core References
Broken Link x_refsource_confirm
http://www.vbdrupal.org/forum/showthread.php?t=786
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/22306
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/23960
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/0406
Broken Link vdb-entry
x_refsource_osvdb
http://osvdb.org/32136
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/0415
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/31940
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/node/113935
Broken Link mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2007-01/0670.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/23990
Scores
EPSS
0.0497
EPSS Percentile
89.8%
Details
Status
published
Products (1)
drupal/drupal
4.7.0 - 4.7.6
Published
Jan 31, 2007
Tracked Since
Feb 18, 2026