Description

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

Remediation

References

CVE-2008-3219

Related Vulnerabilities

WordPress Plugin Social Auto Poster-WordPress Scheduler & Marketing Security Bypass (5.3.14)

WordPress Plugin Theme Editor Arbitrary File Download (2.5)

WordPress Plugin WP Photo Album Plus Cross-Site Scripting (5.4.17)

Apache HTTP Server Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2004-0748)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-0800)

Severity

Medium

Classification

CVE-2008-3219 CWE-707

Tags

Missing Update Known Vulnerabilities