CVE-2010-2472

Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
drupaldrupal
5.0 ≤
𝑥
< 5.22
drupaldrupal
6.0 ≤
𝑥
< 6.16
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
drupal6
saucy
dne
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
natty
not-affected
maverick
not-affected
lucid
ignored
hardy
dne
Common Weakness Enumeration
References
https://security-tracker.debian.org/tracker/CVE-2010-2472
https://www.drupal.org/node/731710
https://www.openwall.com/lists/oss-security/2010/06/28/8
https://security-tracker.debian.org/tracker/CVE-2010-2472
https://www.drupal.org/node/731710
https://www.openwall.com/lists/oss-security/2010/06/28/8