vendor:
Drupal
by:
Emanuele 'emgent' Gentili
3,3
CVSS
LOW
Multiple Permanent XSS
N/A
CWE
Product Name: Drupal
Affected Version From: Drupal <= 6.15
Affected Version To: Drupal <= 6.15
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009
0day Drupal <= 6.15 Multiple Permanent XSS
Drupal 6.15 (latest release) is vulnerable to multiple permanent Cross Site Scritpting and probably the old release too. The severity is anyway low, because an attacker can use it only if he has an access to 'User Management' with the right privileges. The first vulnerability is up in 'Access rules'. In fact the attacker can write a code in 'Mask' entry textbox and after the submit the code will be executed. The second vulnerability, similar to the first, is allocated in 'Roles management', in fact the attacker, can use 'Name Role' for add malicius code, that will be executed after the submit viewing the related page list. These vulnerabilities are 'permanent'.
Mitigation:
The attacker must have access to 'User Management' with the right privileges.
