Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2007-5596

The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.

Related bugs and status

CVE-2007-5596 (Candidate) is related to these bugs:

Bug #154811: [SA-2007-{24,25,26,29,30}] Fix for several security issues in drupal 5.2

Summary				In	Importance	Status
	154811	[SA-2007-{24,25,26,29,30}] Fix for several security issues in drupal 5.2		drupal5 (Ubuntu)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://drupal.org/node...
SECUNIA: 27292
FEDORA: FEDORA-2007-2649
BID: 26119
SECUNIA: 27352
VUPEN: ADV-2007-3546
XF: drupal-uploadmodule-xs...