Input format access bypass in Drupal - #VU515
Published: September 19, 2016
Vulnerability identifier: #VU515
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to insert arbitrary HTML and script code into pages or even execute PHP code.
The weakness exists due to administrator's changes of the comment's input format able to process modified user's signatures. If the new format allows too much, attackers can inject arbitrary HTML and script code or execute PHP code.
Successful exploitation of the vulnerability leads to arbitrary HTML and script code injection or PHP code execution.
The weakness exists due to administrator's changes of the comment's input format able to process modified user's signatures. If the new format allows too much, attackers can inject arbitrary HTML and script code or execute PHP code.
Successful exploitation of the vulnerability leads to arbitrary HTML and script code injection or PHP code execution.