CVE-2014-5169

Name
CVE-2014-5169
Description
Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
BID http://www.securityfocus.com/bid/68974
Patch https://www.drupal.org/node/2311887
MLIST http://www.openwall.com/lists/oss-security/2014/07/31/2
Vendor Advisory https://www.drupal.org/node/2312609
MLIST http://www.openwall.com/lists/oss-security/2014/07/31/4

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:date_project:date:*:*:*:*:*:drupal:*:* date >= None <= 7.x-2.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
date edge-community 3.0.1-r0 Luca Weiss <luca@z3ntu.xyz> fixed
date 3.14-community 3.0.0-r0 Luca Weiss <luca@z3ntu.xyz> fixed
date 3.15-community 3.0.1-r0 Luca Weiss <luca@z3ntu.xyz> possibly vulnerable