The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
References
Link | Resource |
---|---|
http://drupal.org/node/227608 | Patch Vendor Advisory |
http://secunia.com/advisories/29118 | Third Party Advisory |
http://www.securityfocus.com/bid/28026 | Patch Third Party Advisory VDB Entry |
Configurations
History
20 Apr 2021, 15:23
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) http://drupal.org/node/227608 - Patch, Vendor Advisory | |
References | (SECUNIA) http://secunia.com/advisories/29118 - Third Party Advisory | |
References | (BID) http://www.securityfocus.com/bid/28026 - Patch, Third Party Advisory, VDB Entry | |
CPE | cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:* |
Information
Published : 2008-03-04 18:44
Updated : 2023-12-10 10:40
NVD link : CVE-2008-1133
Mitre link : CVE-2008-1133
CVE.ORG link : CVE-2008-1133
JSON object : View
Products Affected
drupal
- drupal
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')