Description

The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.

Remediation

References

CVE-2007-5596

Related Vulnerabilities

MySQL CVE-2015-4866 Vulnerability (CVE-2015-4866)

WordPress Plugin Shield Security-Smart Bot Blocking & Intrusion Prevention Security Local File Inclusion (18.5.9)

WordPress Plugin Spicy Blogroll Local File Include (1.0.0)

WordPress Plugin WP Super Cache Cache Poisoning (1.8)

WordPress Plugin SagePay Server Gateway for WooCommerce Cross-Site Scripting (1.0.8)

Severity

Medium

Classification

CVE-2007-5596 CWE-707

Tags

Missing Update Known Vulnerabilities