CVE-2010-2472
MEDIUMDrupal 5.0-5.21 - Authenticated Cross-Site Scripting in Locale Module
Title source: llmDescription
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://security-tracker.debian.org/tracker/CVE-2010-2472
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/node/731710
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://www.openwall.com/lists/oss-security/2010/06/28/8
Scores
CVSS v3
4.8
EPSS
0.0049
EPSS Percentile
65.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
drupal/drupal
5.0 - 5.22
Published
Nov 07, 2019
Tracked Since
Feb 18, 2026