CVE-2008-3218 — Drupal vulnerable to Cross-site Scripting

Description

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

How to fix CVE-2008-3218

To remediate CVE-2008-3218, upgrade the affected package to a fixed version below.

Packagist/drupal/drupal—upgrade to 6.3 or later

Is CVE-2008-3218 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0, < 6.3

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-3218
PATCHgithub.com/drupal/drupal
WEBdrupal.org/node/280571
WEBbugzilla.redhat.com/show_bug.cgi?id=454849
WEBexchange.xforce.ibmcloud.com/vulnerabilities/43704