Description

Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.

Remediation

References

CVE-2010-2472

Related Vulnerabilities

WordPress Plugin WP Support Plus Responsive Ticket System SQL Injection (7.1.4)

Oracle Database Server CVE-2011-0806 Vulnerability (CVE-2011-0806)

ownCloud Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2013-0301)

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-3065)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2015-8386)

Severity

Medium

Classification

CVE-2010-2472 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities