Vulnerability Details : CVE-2007-0626
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2007-0626
Probability of exploitation activity in the next 30 days: 3.39%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 90 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2007-0626
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
References for CVE-2007-0626
-
http://www.securityfocus.com/bid/22306
Third Party Advisory;VDB Entry
-
http://www.vupen.com/english/advisories/2007/0415
Third Party Advisory
-
http://archives.neohapsis.com/archives/bugtraq/2007-01/0670.html
Broken Link
-
http://www.vbdrupal.org/forum/showthread.php?t=786
Broken Link
-
http://drupal.org/node/113935
Patch;Vendor Advisory
-
http://www.vupen.com/english/advisories/2007/0406
Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/31940
Third Party Advisory;VDB Entry
Products affected by CVE-2007-0626
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*