CVE-2010-2472

EPSS 0.59%
Published 07.11.2019 19:15:12
Last modified 21.11.2024 01:16:44
Source secalert@redhat.com
Teams watchlist Login
Open Login

Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 5.0 < 5.22

Drupal ≫ Drupal Version >= 6.0 < 6.16

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.59%	0.683

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.drupal.org/node/731710

Patch

Vendor Advisory

https://www.openwall.com/lists/oss-security/2010/06/28/8

Third Party Advisory

Mailing List

https://security-tracker.debian.org/tracker/CVE-2010-2472

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2010-2472

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2010-2472

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2010-2472

EUVD