Description
Multiple cross-site scripting (XSS) vulnerabilities in the nodereference module in Drupal Content Construction Kit (CCK) before 4.7.x-1.6, and 5.x before 5.x-1.6 ,allow remote attackers to inject arbitrary web script or HTML via nodereference fields, when using (1) the plain formatter or (2) the autocomplete text field widget without Views.module.
References (10)
Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/36002
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/37209
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/25321
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/37208
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2876
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/26416
Various Sources x_refsource_confirm
http://drupal.org/node/166994
Various Sources x_refsource_confirm
http://drupal.org/node/166992
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/36000
Various Sources x_refsource_confirm
http://drupal.org/node/166998
Scores
EPSS
0.0120
EPSS Percentile
79.1%
Details
Status
published
Products (2)
drupal/content_construction_kit
4.7
drupal/content_construction_kit
5.2
Published
Aug 15, 2007
Tracked Since
Feb 18, 2026