CVE-2010-2472

EUVD-2010-2481
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Affected Products (NVD)
VendorProductVersion
drupaldrupal
5.0 ≤
𝑥
< 5.22
drupaldrupal
6.0 ≤
𝑥
< 6.16
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
drupal6
hardy
dne
lucid
ignored
maverick
not-affected
natty
not-affected
oneiric
not-affected
precise
not-affected
quantal
not-affected
raring
not-affected
saucy
dne
Common Weakness Enumeration
References
https://security-tracker.debian.org/tracker/CVE-2010-2472
https://www.drupal.org/node/731710
https://www.openwall.com/lists/oss-security/2010/06/28/8
https://security-tracker.debian.org/tracker/CVE-2010-2472
https://www.drupal.org/node/731710
https://www.openwall.com/lists/oss-security/2010/06/28/8