CVE-2014-5022

Drupal 7.x < 7.29 - Cross-Site Scripting via Ajax-Enabled Textfield and File Field

Title source: llm
STIX 2.1

Description

Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field.

References (2)

Core 2
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2983
Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2014-003

Scores

EPSS 0.0026
EPSS Percentile 49.5%

Details

CWE
CWE-79
Status published
Products (30)
drupal/drupal 7.0 (16 CPE variants)
drupal/drupal 7.1
drupal/drupal 7.2
drupal/drupal 7.3
drupal/drupal 7.4
drupal/drupal 7.5
drupal/drupal 7.6
drupal/drupal 7.7
drupal/drupal 7.8
drupal/drupal 7.9
... and 20 more
Published Jul 22, 2014
Tracked Since Feb 18, 2026