CVE-2012-2298

Drupal Realname - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the RealName module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) "user names in page titles" and (2) "autocomplete callbacks."

References (9)

[Patch] http://drupal.org/node/1547352

[Patch, Vendor Advisory] http://drupal.org/node/1547660

[Exploit, Patch] http://drupalcode.org/project/realname.git/commitdiff/41786d0

[Exploit, Patch] http://drupalcode.org/project/realname.git/commitdiff/b920794

[Vendor Advisory] http://secunia.com/advisories/48936

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/53250

[Mailing List] http://www.openwall.com/lists/oss-security/2012/05/03/1

[Mailing List] http://www.openwall.com/lists/oss-security/2012/05/03/2

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/75181

Scores

EPSS 0.0067

EPSS Percentile 71.1%

Classification

CWE

CWE-79

Status published

Affected Products (13)

drupal/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

nancy_wichmann/realname

n/a/n/a

Timeline

Published Aug 14, 2012

Tracked Since Feb 18, 2026