CVE-2010-2472

low-risk
Published 2019-11-07

Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.

Do I need to act?

-
0.49% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Drupal

References (6)

Third Party Advisory https://security-tracker.debian.org/tracker/CVE-2010-2472
Patch https://www.drupal.org/node/731710
Mailing List https://www.openwall.com/lists/oss-security/2010/06/28/8
Third Party Advisory https://security-tracker.debian.org/tracker/CVE-2010-2472
Patch https://www.drupal.org/node/731710
Mailing List https://www.openwall.com/lists/oss-security/2010/06/28/8
26
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal