5.4

CVE-2013-4275

Exploit

Cross-site scripting (XSS) vulnerability in the zen_breadcrumb function in template.php in the Zen theme 6.x-1.x, 7.x-3.x before 7.x-3.2, and 7.x-5.x before 7.x-5.4 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via the breadcrumb separator field.

Data is provided by the National Vulnerability Database (NVD)
Zen ProjectZen SwPlatformdrupal Version >= 6.x-1.0 <= 6.x-1.3
Zen ProjectZen SwPlatformdrupal Version >= 7.x-3.0 < 7.x-3.2
Zen ProjectZen SwPlatformdrupal Version >= 7.x-5.0 < 7.x-5.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.41% 0.582
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://seclists.org/fulldisclosure/2013/Aug/226
Third Party Advisory
Exploit
Mailing List
http://www.madirish.net/?article=452
Third Party Advisory
Exploit
http://www.securityfocus.com/bid/61922
Third Party Advisory
Broken Link
VDB Entry
https://drupal.org/node/2071055
Third Party Advisory
Release Notes
https://drupal.org/node/2071065
Third Party Advisory
Release Notes
https://drupal.org/node/2071157
Third Party Advisory
https://drupal.org/node/754000
Third Party Advisory