Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.
2007-10-22T19:46:00.000
2025-04-09T00:30:58.490
Deferred
CVSSv2: 3.5 (LOW)
AV:N/AC:M/Au:S/C:N/I:P/A:N
6.8
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | drupal | asin_field_module | * | Yes |
| Application | drupal | drupal | 4.7 | Yes |
| Application | drupal | drupal | 5.0 | Yes |
| Application | drupal | drupal | 5.1 | Yes |
| Application | drupal | drupal | 5.2 | Yes |
| Application | drupal | e-commerce_module | * | Yes |
| Application | drupal | fullname_field_for_cck | * | Yes |
| Application | drupal | invite_module | * | Yes |
| Application | drupal | node_relativity_module | * | Yes |
| Application | drupal | pathauto_module | * | Yes |
| Application | drupal | paypal_node_module | * | Yes |
| Application | drupal | token_module | ≤ 1.4 | Yes |
| Application | drupal | token_module | ≤ 1.8 | Yes |
| Application | drupal | ubercart_module | * | Yes |