Description

The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.

Remediation

References

CVE-2007-5596

Related Vulnerabilities

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Cross-Site Request Forgery (2.0.39)

Sqlite Integer Overflow or Wraparound Vulnerability (CVE-2025-29088)

WordPress Plugin WP BASE Booking of Appointments, Services and Events PHP Object Injection (3.5.0)

WordPress Plugin WP Mail Logging Multiple Unspecified Vulnerabilities (1.5.0)

WordPress Plugin WP Subtitle Unspecified Vulnerability (2.5)

Severity

Medium

Classification

CVE-2007-5596 CWE-707

Tags

Missing Update Known Vulnerabilities