4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
59.8%
DISPUTED Drupal allows remote attackers to conduct cross-site
scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript
function name, as demonstrated using variations of the alert() function.
NOTE: a followup by the vendor suggests that the issue does not exist in
4.5.6 or 4.6.4 when “Filtered HTML” is enabled, and since “Full HTML” would
not filter HTML by design, perhaps this should not be included in CVE.