Description

The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.

Remediation

References

CVE-2007-5596

Related Vulnerabilities

WordPress Plugin WP Super Cache Remote Code Execution (1.7.1)

WordPress Plugin Booster Plus for WooCommerce Multiple Cross-Site Request Forgery Vulnerabilities (6.0.0)

WordPress 4.2.2 Multiple Vulnerabilities (0.7 - 4.2.2)

WordPress Plugin WordPress Framework Possible Backdoor (1.0)

WordPress Plugin Responsive Image Slider, Photo Gallery And Carousel Security Bypass (1.3.5)

Severity

Medium

Classification

CVE-2007-5596 CWE-707

Tags

Missing Update Known Vulnerabilities