CVE-2012-2298

RealName module < 6.x-1.5 for Drupal - Cross-Site Scripting via User Names and Autocomplete Callbacks

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in the RealName module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) "user names in page titles" and (2) "autocomplete callbacks."

References (9)

Core 9

Core References

Exploit, Patch x_refsource_confirm

http://drupalcode.org/project/realname.git/commitdiff/b920794

Patch, Vendor Advisory x_refsource_misc

http://drupal.org/node/1547660

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48936

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2012/05/03/2

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/53250

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/75181

Patch x_refsource_confirm

http://drupal.org/node/1547352

Exploit, Patch x_refsource_confirm

http://drupalcode.org/project/realname.git/commitdiff/41786d0

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2012/05/03/1

Scores

EPSS 0.0067

EPSS Percentile 71.6%

Details

CWE

CWE-79

Status published

Products (7)

drupal/realname 6.x-1.2

nancy_wichmann/realname 6.x-1.0 (3 CPE variants)

nancy_wichmann/realname 6.x-1.1 (4 CPE variants)

nancy_wichmann/realname 6.x-1.2

nancy_wichmann/realname 6.x-1.3

nancy_wichmann/realname 6.x-1.4

nancy_wichmann/realname 6.x-1.x dev

Published Aug 14, 2012

Tracked Since Feb 18, 2026