CVE-2008-3218

Drupal 6.x <6.3 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

References (9)

[Vendor Advisory] http://drupal.org/node/280571

[Third Party Advisory] http://secunia.com/advisories/31079

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2008/07/10/3

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/30168

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=454849

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/43704

[Third Party Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00016.html

[Third Party Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00527.html

[Third Party Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00551.html

Scores

EPSS 0.0086

EPSS Percentile 74.8%

Classification

CWE

CWE-79

Status draft

Affected Products (4)

drupal/drupal < 6.3

fedoraproject/fedora

fedoraproject/fedora

drupal/drupal < 6.3Packagist

Timeline

Published Jul 18, 2008

Tracked Since Feb 18, 2026