CVE-2014-9346

Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/60511
https://www.drupal.org/node/2385933	Patch
https://www.drupal.org/node/2386615	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/99136

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.3:::::drupal::
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.4:::::drupal::
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.0:::::drupal::
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.7:::::drupal::
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.8:::::drupal::
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.1:::::drupal::
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.2:::::drupal::
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.x:dev::::drupal::*
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.5:::::drupal::
	cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.6:::::drupal::

Information

Published : 2014-12-08 08:59

Updated : 2019-06-26 10:43

NVD link : CVE-2014-9346

Mitre link : CVE-2014-9346

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

hierarchical_select_project

hierarchical_select

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://secunia.com/advisories/60511", "name": "60511", "tags": [], "refsource": "SECUNIA"}, {"url": "https://www.drupal.org/node/2385933", "name": "https://www.drupal.org/node/2385933", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "https://www.drupal.org/node/2386615", "name": "https://www.drupal.org/node/2386615", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99136", "name": "hierarchicalselect-hierarchicalselect-xss(99136)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-9346", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2014-12-08T16:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.3:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.4:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.0:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.7:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.8:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.1:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.2:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.x:dev:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.5:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hierarchical_select_project:hierarchical_select:6.x-3.6:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-06-26T17:43Z"}