CVE Reference: CVE-2010-2123

NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE:
CVE-2010-2123

Description:
Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) address, (3) city, (4) provstate (aka state), (5) phone, or (6) taxid parameter in a stormorganization action to index.php; the (7) name parameter in a stormperson action to index.php; the (8) stepno (aka Step no.) or (9) title parameter in a stormtask action to index.php; the (10) title (aka Project) parameter in a stormticket action to index.php; or (11) unspecified parameters in a stormproject action to index.php. NOTE: some of these details are obtained from third party information.

CVE Status:
Candidate

References:

XF
  http://xforce.iss.net/xforce/xfdb/58717

SAID
  Secunia Advisory: SA39732

OSVDB
  64616

FULLDISC
  http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0160.html

CONFIRM
  http://drupal.org/node/803770

BID
  40288


Return to the previous page.