drupal: several vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2005-3973
CVE-2005-3974
CVE-2005-3975
|
| Created: | January 27, 2006 |
Updated: | February 1, 2006 |
| Description: |
Several security related problems have been discovered in drupal, a
fully-featured content management/discussion engine. Several cross-site
scripting vulnerabilities allow remote attackers to inject arbitrary web
script or HTML (CVE-2005-3973). When running on PHP5, Drupal does not
correctly enforce user privileges, which allows remote attackers to bypass
the "access user profiles" permission (CVE-2005-3974). An interpretation
conflict allows remote authenticated users to inject arbitrary web script
or HTML via HTML in a file with a GIF or JPEG file extension
(CVE-2005-3975). |
| Alerts: |
|
