Description

The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.

Remediation

References

CVE-2007-5596

Related Vulnerabilities

IBM WebSEAL Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2019-4156)

Django Resource Management Errors Vulnerability (CVE-2015-5143)

WordPress Plugin Website FAQ 'website-faq-widget.php' SQL Injection (1.0)

Ruby on Rails Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-6496)

Piwigo URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2017-9464)

Severity

Medium

Classification

CVE-2007-5596 CWE-707

Tags

Missing Update Known Vulnerabilities