Description
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2014-6454 Vulnerability (CVE-2014-6454)
phpBB Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-11767)
Ruby on Rails CVE-2021-22902 Vulnerability (CVE-2021-22902)
Joomla Session Fixation Vulnerability (CVE-2010-1434)
WordPress Plugin WordPress Sentinel Multiple Vulnerabilities (1.0.0)