Description

The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.

Remediation

References

CVE-2007-5596

Related Vulnerabilities

SharePoint Improper Certificate Validation Vulnerability (CVE-2019-1006)

ATutor Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2019-12170)

WordPress Plugin Easy Accept Payments for PayPal Cross-Site Scripting (4.9.9)

WordPress Plugin Welcart e-Commerce PHP Object Injection (1.9.35)

Internet Information Services Other Vulnerability (CVE-1999-1223)

Severity

Medium

Classification

CVE-2007-5596 CWE-707

Tags

Missing Update Known Vulnerabilities