CVE-2008-0274
Drupal 4.7.x and 5.x - Cross-Site Scripting via Theme Template Files
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files.
References (9)
Core 9
Core References
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0134
Various Sources x_refsource_confirm
http://www.vbdrupal.org/forum/showthread.php?p=6878
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/27238
Patch third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28422
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/39605
Various Sources x_refsource_confirm
http://drupal.org/node/208565
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0127
Various Sources x_refsource_confirm
http://www.vbdrupal.org/forum/showthread.php?t=1349
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28486
Scores
EPSS
0.0079
EPSS Percentile
74.1%
Details
CWE
CWE-79
Status
published
Products (2)
drupal/drupal
4.7
drupal/drupal
5.0
Published
Jan 15, 2008
Tracked Since
Feb 18, 2026