Description
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.
Remediation
References
Related Vulnerabilities
WordPress Ultimate Member Plugin Missing Authorization Vulnerability (CVE-2024-10528)
Oracle Database Server CVE-2020-2527 Vulnerability (CVE-2020-2527)
PHP Numeric Errors Vulnerability (CVE-2016-4344)
WebLogic CVE-2020-14825 Vulnerability (CVE-2020-14825)
WordPress Plugin Collapse-O-Matic Cross-Site Scripting (1.8.2)