CVE-2012-2726

Drupal Protest <7.x-1.2 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the Protest module 6.x-1.x before 6.x-1.2 or 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer protest" permission to inject arbitrary web script or HTML via the protest_body parameter.

References (9)

[Patch] http://drupal.org/node/1618090

[Patch] http://drupal.org/node/1618092

[Patch, Vendor Advisory] http://drupal.org/node/1619856

[Exploit, Patch] http://drupalcode.org/project/protest.git/commitdiff/c85eaed

[Exploit, Patch] http://drupalcode.org/project/protest.git/commitdiff/cf8c543

[Vendor Advisory] http://secunia.com/advisories/49386

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/76126

[Mailing List] http://www.openwall.com/lists/oss-security/2012/06/14/3

[Third Party Advisory, VDB Entry] http://www.osvdb.org/82715

Scores

EPSS 0.0044

EPSS Percentile 62.7%

Classification

CWE

CWE-79

Status published

Affected Products (5)

alberto_trujillo_gonzalez/protest

alberto_trujillo_gonzalez/protest

alberto_trujillo_gonzalez/protest

alberto_trujillo_gonzalez/protest

n/a/n/a

Timeline

Published Jun 27, 2012

Tracked Since Feb 18, 2026