CVE-2007-5621

Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://drupal.org/node/184336	Patch
http://secunia.com/advisories/27291	Patch
http://osvdb.org/38073
https://exchange.xforce.ibmcloud.com/vulnerabilities/37275

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:drupal:5.2:::::::*
	cpe:2.3:a:drupal:e-commerce_module::::::::
	cpe:2.3:a:drupal:token_module::::::::
	cpe:2.3:a:drupal:token_module::::::::
	cpe:2.3:a:drupal:asin_field_module::::::::
	cpe:2.3:a:drupal:drupal:4.7:::::::*
	cpe:2.3:a:drupal:node_relativity_module::::::::
	cpe:2.3:a:drupal:pathauto_module::::::::
	cpe:2.3:a:drupal:drupal:5.0:::::::*
	cpe:2.3:a:drupal:drupal:5.1:::::::*
	cpe:2.3:a:drupal:paypal_node_module::::::::
	cpe:2.3:a:drupal:invite_module::::::::
	cpe:2.3:a:drupal:ubercart_module::::::::
	cpe:2.3:a:drupal:fullname_field_for_cck::::::::

Information

Published : 2007-10-22 12:46

Updated : 2017-07-28 18:33

NVD link : CVE-2007-5621

Mitre link : CVE-2007-5621

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

drupal

node_relativity_module
paypal_node_module
fullname_field_for_cck
asin_field_module
drupal
ubercart_module
pathauto_module
invite_module
token_module
e-commerce_module

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://drupal.org/node/184336", "name": "http://drupal.org/node/184336", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/27291", "name": "27291", "tags": ["Patch"], "refsource": "SECUNIA"}, {"url": "http://osvdb.org/38073", "name": "38073", "tags": [], "refsource": "OSVDB"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37275", "name": "drupal-tokenmodule-xss(37275)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2007-5621", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2007-10-22T19:46Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:e-commerce_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:token_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.4"}, {"cpe23Uri": "cpe:2.3:a:drupal:token_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.8"}, {"cpe23Uri": "cpe:2.3:a:drupal:asin_field_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:4.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:node_relativity_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:pathauto_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:paypal_node_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:invite_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:ubercart_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:fullname_field_for_cck:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-07-29T01:33Z"}