vendor:
Drupal
by:
Unknown
7.5
CVSS
HIGH
HTML-injection and arbitrary-file-upload vulnerabilities
79, 434
CWE
Product Name: Drupal
Affected Version From: Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.26 and 6.x-2.4, and for Drupal 5.x versions prior to 5.x-1.12. Media: Video Flotsam module for Drupal 6.x versions prior to 6.x-1.2. Media: Audio Flotsam module for Drupal 6.x versions prior to 6.x-1.1.
Affected Version To:
Patch Exists: YES
Related CWE:
CPE: a:drupal:drupal
Platforms Tested:
2010
Multiple Remote Vulnerabilities in Drupal Embedded Media Field, Media: Video Flotsam, and Media: Audio Flotsam Modules
An attacker could exploit these vulnerabilities to execute arbitrary script code in a user's browser in the context of the affected site or execute arbitrary code on the server.
Mitigation:
Upgrade to Drupal Embedded Media Field version 6.x-1.26 or 6.x-2.4, Drupal Media: Video Flotsam version 6.x-1.2, and Drupal Media: Audio Flotsam version 6.x-1.1. Additionally, apply proper input validation and sanitization to user-generated content.