CVE-2012-1654
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in the Data module 6.x-1.x before 6.x-1.0 and 7.x-1.x before 7.x-1.0-alpha3 for Drupal allow remote authenticated users with the administer data tables permission to inject arbitrary web script or HTML via the title parameter in (1) data.views.inc and (2) data_ui/data_ui.admin.inc.
Known Affected Software
4 configuration(s) from 1 vendor(s)
data
Version:
7.x-1.x
CPE:
cpe:2.3:a:alex_barth:data:7.x-1.x:dev:*:*:*:*:*:*
data
Version:
6.x-1.x
CPE:
cpe:2.3:a:alex_barth:data:6.x-1.x:dev:*:*:*:*:*:*
data
Version:
7.x-1.0
CPE:
cpe:2.3:a:alex_barth:data:7.x-1.0:alpha1:*:*:*:*:*:*
data
Version:
6.x-1.0
CPE:
cpe:2.3:a:alex_barth:data:6.x-1.0:alpha1:*:*:*:*:*:*
This vulnerability affects 4 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://drupal.org/node/1470980secalert@redhat.com Patch
-
http://drupal.org/node/1470982secalert@redhat.com Patch
-
http://drupal.org/node/1471780secalert@redhat.com Vendor Advisory
-
http://drupalcode.org/project/data.git/commit/33f0caasecalert@redhat.com
-
http://drupalcode.org/project/data.git/commit/6f6858asecalert@redhat.com
-
http://secunia.com/advisories/48326secalert@redhat.com Vendor Advisory
-
http://www.madirish.net/content/drupal-data-6x-10-xss-vulnerabilitysecalert@redhat.com
-
http://www.openwall.com/lists/oss-security/2012/04/07/1secalert@redhat.com
-
http://www.osvdb.org/79854secalert@redhat.com
-
http://www.securityfocus.com/bid/52337secalert@redhat.com
-
http://drupal.org/node/1470980af854a3a-2127-422b-91ae-364da2661108 Patch
-
http://drupal.org/node/1470982af854a3a-2127-422b-91ae-364da2661108 Patch
-
http://drupal.org/node/1471780af854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
-
http://drupalcode.org/project/data.git/commit/33f0caaaf854a3a-2127-422b-91ae-364da2661108
-
http://drupalcode.org/project/data.git/commit/6f6858aaf854a3a-2127-422b-91ae-364da2661108
-
http://secunia.com/advisories/48326af854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
-
http://www.madirish.net/content/drupal-data-6x-10-xss-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
-
http://www.openwall.com/lists/oss-security/2012/04/07/1af854a3a-2127-422b-91ae-364da2661108
-
http://www.osvdb.org/79854af854a3a-2127-422b-91ae-364da2661108
-
http://www.securityfocus.com/bid/52337af854a3a-2127-422b-91ae-364da2661108
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-79
Top 25 #1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Description
- The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Exploit Likelihood
- High
- Typical Severity
- Medium
- OWASP Top 10
- A03:2021-Injection
- Abstraction Level
- Base
Key Information
- Published Date
- September 18, 2012
