FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal -- multiple vulnerabilities

Affected packages
drupal5 < 5.12
drupal6 < 6.6


VuXML ID 706c9eef-a077-11dd-b413-001372fd0af2
Discovery 2008-10-22
Entry 2008-10-22
Modified 2010-05-12

The Drupal Project reports:

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory. This bug affects both Drupal 5 and Drupal 6.

The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting attack may lead to the attacker gaining administrator access. This bug affects Drupal 6.


CVE Name CVE-2008-6170