CVE-2007-0626

critical

Description

The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."

References

Advisories
More

https://exchange.xforce.ibmcloud.com/vulnerabilities/31940

http://www.vupen.com/english/advisories/2007/0415

http://www.vupen.com/english/advisories/2007/0406

http://www.securityfocus.com/bid/22306

http://secunia.com/advisories/23990

http://secunia.com/advisories/23960

http://drupal.org/node/113935

Details

Source: Mitre, NVD

Published: 2007-01-31

Updated: 2025-04-09

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.04494