CVE-2006-4949

medium

Description

Cross-site scripting (XSS) vulnerability in the Drupal 4.6 Site Profile Directory (profile_pages.module) before 1.1.2.1 and the Drupal 4.7 Site Profile Directory (profile_pages.module) before 1.2.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "lack of validation on output," possibly in the name and title parameters.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/29061

http://www.vupen.com/english/advisories/2006/3714

http://www.osvdb.org/29029

http://secunia.com/advisories/22035

http://drupal.org/node/85048

Details

Source: Mitre, NVD

Published: 2006-09-23

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00351