Description

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

Remediation

References

CVE-2008-3219

Related Vulnerabilities

WordPress Plugin Elementor Website Builder Security Bypass (1.7.12)

EspoCRM Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-17302)

Apache HTTP Server Improper Input Validation Vulnerability (CVE-2012-0021)

MySQL CVE-2013-3795 Vulnerability (CVE-2013-3795)

IBM WebSEAL URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2017-1489)

Severity

Medium

Classification

CVE-2008-3219 CWE-707

Tags

Missing Update Known Vulnerabilities