Description
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
Remediation
References
Related Vulnerabilities
MySQL CVE-2015-2641 Vulnerability (CVE-2015-2641)
WordPress Plugin Post Recommendations for WordPress 'api.php' Remote File Include (1.1.2)
Drupal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2007-6752)
WordPress Plugin s2member Secure File Browser Cross-Site Scripting (0.4.16)
Moodle Incorrect Authorization Vulnerability (CVE-2024-48901)