CVE-2008-3219
Drupal 5.x < 5.8 and 6.x < 6.3 - Cross-Site Scripting via Object HTML Tag
Title source: llmDescription
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
References (9)
Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/30168
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/node/280571
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=454849
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00016.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31079
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00527.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2008/07/10/3
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00551.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/43701
Scores
EPSS
0.0087
EPSS Percentile
75.4%
Details
CWE
CWE-79
Status
published
Products (3)
drupal/drupal
5.0 - 5.8
fedoraproject/fedora
8
fedoraproject/fedora
9
Published
Jul 18, 2008
Tracked Since
Feb 18, 2026