CVE-2008-3741

Drupal <5.10, <6.4 - XSS

Title source: llm

Description

The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.

References (9)

[Patch] http://drupal.org/node/295053

[Third Party Advisory] http://secunia.com/advisories/31462

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=459108

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/44446

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/30689

[Third Party Advisory] http://secunia.com/advisories/31825

[Third Party Advisory] http://www.vupen.com/english/advisories/2008/2392

Scores

EPSS 0.0035

EPSS Percentile 57.1%

Classification

CWE

CWE-79

Status draft

Affected Products (14)

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

Timeline

Published Aug 27, 2008

Tracked Since Feb 18, 2026