CVE-2010-3094 — Drupal cross-site scripting vulnerability via actions feature and trigger module

Description

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.

How to fix CVE-2010-3094

To remediate CVE-2010-3094, upgrade the affected package to a fixed version below.

Packagist/drupal/drupal—upgrade to 6.18 or later

Is CVE-2010-3094 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0, < 6.18

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-3094
PATCHgithub.com/drupal/drupal
WEBdrupal.org/node/880476
WEBmarc.info/?l=oss-security&m=128418560705305&w=2
WEBmarc.info/?l=oss-security&m=128440896914512&w=2