CVE-2006-0070

Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE

Published: Jan 4, 2006
Updated: Nov 8, 2023
CVE: CVE-2006-0070
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
drupal / drupal	4.6.4	4.6.4.x
drupal / drupal	4.5.6	4.5.6.x

http://www.securityfocus.com/archive/1/420671/100/0/threaded
http://www.securityfocus.com/archive/1/420683/100/0/threaded

Vulnerability Database

289,599

CVE-2006-0070