CVE-2007-3818

Cross-site scripting (XSS) vulnerability in the LoginToboggan module 5.x-1.x-dev before 20070712 for Drupal allows remote authenticated users with "administer blocks" permission to inject arbitrary JavaScript and gain privileges via "the message displayed above the default user login block."

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://drupal.org/node/158921	Patch
http://osvdb.org/37010
http://drupal.org/node/158921	Patch
http://osvdb.org/37010

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:logintoboggan_module::::::::
	cpe:2.3:a:drupal:logintoboggan_module::::::::

History

21 Nov 2024, 00:34

Type	Values Removed	Values Added
References	~~() http://drupal.org/node/158921 - Patch~~	() http://drupal.org/node/158921 - Patch
References	~~() http://osvdb.org/37010 -~~	() http://osvdb.org/37010 -

Information

Published : 2007-07-17 01:30

Updated : 2025-04-09 00:30

NVD link : CVE-2007-3818

Mitre link : CVE-2007-3818

CVE.ORG link : CVE-2007-3818

JSON object : View

Products Affected

drupal

logintoboggan_module

CWE

NVD-CWE-Other

{"id": "CVE-2007-3818", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2007-07-17T01:30:00.000", "references": [{"url": "http://drupal.org/node/158921", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://osvdb.org/37010", "source": "cve@mitre.org"}, {"url": "http://drupal.org/node/158921", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://osvdb.org/37010", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the LoginToboggan module 5.x-1.x-dev before 20070712 for Drupal allows remote authenticated users with \"administer blocks\" permission to inject arbitrary JavaScript and gain privileges via \"the message displayed above the default user login block.\""}, {"lang": "es", "value": "Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en el m\u00f3dulo LoginToboggan module 5.x-1.x-dev anterior 20070712 para Drupal permite a usuarios remotos validados con permisos de \"administraci\u00f3n de bloques\" inyectar JavaScript de su elecci\u00f3n y ganar privilegios a trav\u00e9s de \"\tdel mensaje mostrado sobre el bloque de entrada del usuario del defecto.\""}], "lastModified": "2025-04-09T00:30:58.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:logintoboggan_module:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05EFF0E0-3361-46BF-860A-568E272B5C7C", "versionEndIncluding": "4.7.x-1.0"}, {"criteria": "cpe:2.3:a:drupal:logintoboggan_module:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F0C8D28-AEAD-4BA5-95C3-CA0C2C80600E", "versionEndIncluding": "5.x-1.x-dev"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}