Description
Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The avatar_uploader module for Drupal 7 contains a reflected cross‑site scripting flaw that lets an unauthenticated attacker inject JavaScript by modifying the "file" parameter in avatar_uploader.pages.inc. When a victim opens a URL crafted with a malicious payload, the script runs in their browser, silently enabling the attacker to steal or tamper with the victim’s session data, deface the site or redirect to malicious resources. This injection type directly affects the confidentiality and integrity of user interactions.

Affected Systems

The issue is present only in the 7.x-1.0-beta8 release of the avatar_uploader project. Systems running the Drupal 7 platform with this module version are vulnerable; newer or non‑beta releases are not affected.

Risk and Exploitability

With a CVSS score of 5.1, the flaw is considered moderate. The EPSS score is not available and it is not listed in CISA’s KEV catalog. Attackers can leverage the vulnerability remotely by persuading users to visit a crafted link; authentication is not required. Because the exploit is straightforward—embed a script in a URL—the risk to browsers that execute arbitrary JavaScript is high, but the impact is limited to the victim session and any data accessed by that session.

Generated by OpenCVE AI on May 10, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update avatar_uploader to the latest available release that patches the reflected XSS. If a newer stable version is not available, replace the module with an audited alternative.
  • Temporarily disable the avatar_uploader module or remove it from the Drupal installation while a fix is sourced, to prevent exploitation through the vulnerable file parameter.
  • Implement strict input validation or sanitization on the file parameter, ensuring all user‑supplied data is stripped of executable JavaScript before being reflected in the response.
  • Deploy a web application firewall or reverse proxy rule that blocks requests containing suspicious script patterns in URL query strings targeting avatar_uploader pages.

Generated by OpenCVE AI on May 10, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.
Title Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS
First Time appeared Avatar Uploader Project
Avatar Uploader Project avatar Uploader
Weaknesses CWE-79
CPEs cpe:2.3:a:avatar_uploader_project:avatar_uploader:7.0-1.0:beta8:*:*:*:*:*:*
Vendors & Products Avatar Uploader Project
Avatar Uploader Project avatar Uploader
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Avatar Uploader Project Avatar Uploader
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:52.170Z

Reserved: 2026-01-11T13:34:26.332Z

Link: CVE-2022-50957

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:33.310

Modified: 2026-05-10T13:16:33.310

Link: CVE-2022-50957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T14:00:13Z

Weaknesses