Vulnerability Description
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Drupal | Drupal | < 4.7.6 |
References
- http://archives.neohapsis.com/archives/bugtraq/2007-01/0670.htmlBroken Link
- http://drupal.org/node/113935PatchVendor Advisory
- http://osvdb.org/32136Broken Link
- http://secunia.com/advisories/23960Third Party Advisory
- http://secunia.com/advisories/23990Third Party Advisory
- http://www.securityfocus.com/bid/22306Third Party AdvisoryVDB Entry
- http://www.vbdrupal.org/forum/showthread.php?t=786Broken Link
- http://www.vupen.com/english/advisories/2007/0406Third Party Advisory
- http://www.vupen.com/english/advisories/2007/0415Third Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/31940Third Party AdvisoryVDB Entry
- http://archives.neohapsis.com/archives/bugtraq/2007-01/0670.htmlBroken Link
- http://drupal.org/node/113935PatchVendor Advisory
- http://osvdb.org/32136Broken Link
- http://secunia.com/advisories/23960Third Party Advisory
- http://secunia.com/advisories/23990Third Party Advisory
FAQ
What is CVE-2007-0626?
CVE-2007-0626 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input f...
How severe is CVE-2007-0626?
CVE-2007-0626 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-0626?
Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal.