CVE-2007-4363 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in the nodereference module in Drupal Content Construction Kit (CCK) before 4.7.x-1.6, and 5.x before 5.x-1.6 ,allow remote attackers to inject arbitrary web script or HTML via nodereference fields, when using (1) the plain formatter or (2) the autocomplete text field widget without Views.module.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Drupal	Content Construction Kit

Configuration 1 [-]

OR	cpe:2.3:a:drupal:content_construction_kit:4.7:::::::*
	cpe:2.3:a:drupal:content_construction_kit:5.2:::::::*

No data.

References

Link	Providers
http://drupal.org/node/166992
http://drupal.org/node/166994
http://drupal.org/node/166998
http://osvdb.org/37208
http://osvdb.org/37209
http://secunia.com/advisories/26416
http://www.securityfocus.com/bid/25321
http://www.vupen.com/english/advisories/2007/2876
https://exchange.xforce.ibmcloud.com/vulnerabilities/36000
https://exchange.xforce.ibmcloud.com/vulnerabilities/36002

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-08-15T19:00:00

Updated: 2024-08-07T14:53:55.827Z

Reserved: 2007-08-15T00:00:00

Link: CVE-2007-4363

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-08-15T19:17:00.000

Modified: 2017-07-29T01:32:53.193

Link: CVE-2007-4363

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-08-14T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the nodereference module in Drupal Content Construction Kit (CCK) before 4.7.x-1.6, and 5.x before 5.x-1.6 ,allow remote attackers to inject arbitrary web script or HTML via nodereference fields, when using (1) the plain formatter or (2) the autocomplete text field widget without Views.module."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "cck-nodereference-autocomplete-xss(36002)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36002"}, {"name": "37209", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37209"}, {"name": "25321", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/25321"}, {"name": "37208", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37208"}, {"name": "ADV-2007-2876", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/2876"}, {"name": "26416", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26416"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/166994"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/166992"}, {"name": "cck-nodereference-plain-xss(36000)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36000"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/166998"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-4363", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the nodereference module in Drupal Content Construction Kit (CCK) before 4.7.x-1.6, and 5.x before 5.x-1.6 ,allow remote attackers to inject arbitrary web script or HTML via nodereference fields, when using (1) the plain formatter or (2) the autocomplete text field widget without Views.module."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "cck-nodereference-autocomplete-xss(36002)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36002"}, {"name": "37209", "refsource": "OSVDB", "url": "http://osvdb.org/37209"}, {"name": "25321", "refsource": "BID", "url": "http://www.securityfocus.com/bid/25321"}, {"name": "37208", "refsource": "OSVDB", "url": "http://osvdb.org/37208"}, {"name": "ADV-2007-2876", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/2876"}, {"name": "26416", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26416"}, {"name": "http://drupal.org/node/166994", "refsource": "CONFIRM", "url": "http://drupal.org/node/166994"}, {"name": "http://drupal.org/node/166992", "refsource": "CONFIRM", "url": "http://drupal.org/node/166992"}, {"name": "cck-nodereference-plain-xss(36000)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36000"}, {"name": "http://drupal.org/node/166998", "refsource": "CONFIRM", "url": "http://drupal.org/node/166998"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T14:53:55.827Z"}, "title": "CVE Program Container", "references": [{"name": "cck-nodereference-autocomplete-xss(36002)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36002"}, {"name": "37209", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/37209"}, {"name": "25321", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/25321"}, {"name": "37208", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/37208"}, {"name": "ADV-2007-2876", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/2876"}, {"name": "26416", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26416"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupal.org/node/166994"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupal.org/node/166992"}, {"name": "cck-nodereference-plain-xss(36000)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36000"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupal.org/node/166998"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-4363", "datePublished": "2007-08-15T19:00:00", "dateReserved": "2007-08-15T00:00:00", "dateUpdated": "2024-08-07T14:53:55.827Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:content_construction_kit:4.7:*:*:*:*:*:*:*", "matchCriteriaId": "A60BFE40-E097-404C-9AA8-EB7D1BA3EEB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:content_construction_kit:5.2:*:*:*:*:*:*:*", "matchCriteriaId": "0E144760-7268-4D9D-9253-9C62EF31CC8B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the nodereference module in Drupal Content Construction Kit (CCK) before 4.7.x-1.6, and 5.x before 5.x-1.6 ,allow remote attackers to inject arbitrary web script or HTML via nodereference fields, when using (1) the plain formatter or (2) the autocomplete text field widget without Views.module."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en el m\u00f3dulo nodereference de Drupal Content Construction Kig (CCK) anterior a 4.7.x-1.6, y 5.x anterior a 5.x-1.6, permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de campos nodereference, cuando se usa (1) el formateador simple (plain formatter) o (2) la mini-aplicaci\u00f3n (widget) de autocompletado de campos de texto sin Views.module."}], "id": "CVE-2007-4363", "lastModified": "2017-07-29T01:32:53.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-08-15T19:17:00.000", "references": [{"source": "cve@mitre.org", "url": "http://drupal.org/node/166992"}, {"source": "cve@mitre.org", "url": "http://drupal.org/node/166994"}, {"source": "cve@mitre.org", "url": "http://drupal.org/node/166998"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/37208"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/37209"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/26416"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/25321"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/2876"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36000"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36002"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}