Description

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

Remediation

References

CVE-2008-3219

Related Vulnerabilities

TYPO3 Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-4321)

MySQL CVE-2016-3440 Vulnerability (CVE-2016-3440)

WordPress Plugin Launcher:Coming Soon & Maintenance Mode Cross-Site Scripting (1.0.10)

WordPress Plugin WooCommerce Cross-Site Scripting (3.4.5)

WordPress Plugin OneSignal-Web Push Notifications Cross-Site Scripting (1.17.7)

Severity

Medium

Classification

CVE-2008-3219 CWE-707

Tags

Missing Update Known Vulnerabilities