The Project Issue Tracking module 5.x-2.x-dev prior to 20080130 in the 5.x-2.x series, 5.x-1.2 and previous versions in the 5.x-1.x series, 4.7.x-2.6 and previous versions in the 4.7.x-2.x series, and 4.7.x-1.6 and previous versions in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote malicious users to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote malicious users to upload files containing arbitrary web script or HTML.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
drupal project issue tracking module 4.7 |
||
drupal project issue tracking module 5.0 |