Description
The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.
Remediation
References
Related Vulnerabilities
Grafana Improper Authentication Vulnerability (CVE-2022-32276)
WordPress Plugin Google Maps Cross-Site Scripting (2.1.3)
WordPress Plugin Post Recommendations for WordPress 'api.php' Remote File Include (1.1.2)
WordPress Plugin Spam protection, AntiSpam, FireWall by CleanTalk SQL Injection (5.148)
WordPress Plugin WP Mailto Links-Manage Email Links Cross-Site Scripting (2.0.1)