Description

The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.

Remediation

References

CVE-2008-3741

Related Vulnerabilities

WordPress Plugin WPtouch Security Bypass (3.4.2)

WordPress Plugin Question and Answer Forum 'title' Variable Cross-Site Scripting (1.2.4)

WordPress Plugin EZPZ One Click Backup Remote Code Execution (12.03.10)

Apache Tomcat CVE-2020-0822 Vulnerability (CVE-2020-0822)

WordPress Plugin Sabre 'tools.php' Cross-Site Scripting (1.2.0)

Severity

Low

Classification

CVE-2008-3741 CWE-707

Tags

Missing Update Known Vulnerabilities