CVE-2014-5021

Drupal 6.x < 6.32 and possibly 7.x < 7.29 - Authenticated Cross-Site Scripting via Option Group Label

Title source: llm
STIX 2.1

Description

Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label.

References (2)

Core 2
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2983
Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2014-003

Scores

EPSS 0.0023
EPSS Percentile 45.4%

Details

CWE
CWE-79
Status published
Products (31)
drupal/drupal 7.0 (16 CPE variants)
drupal/drupal 7.1
drupal/drupal 7.2
drupal/drupal 7.3
drupal/drupal 7.4
drupal/drupal 7.5
drupal/drupal 7.6
drupal/drupal 7.7
drupal/drupal 7.8
drupal/drupal 7.9
... and 21 more
Published Jul 22, 2014
Tracked Since Feb 18, 2026