Unrated severityNVD Advisory· Published Oct 22, 2007· Updated Apr 23, 2026

CVE-2007-5621

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.

Affected products

Drupal/Asin Field Module
cpe:2.3:a:drupal:asin_field_module:*:*:*:*:*:*:*:*
Drupal/Drupal4 versions
cpe:2.3:a:drupal:drupal:4.7:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:drupal:drupal:4.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
Drupal/E Commerce Module
cpe:2.3:a:drupal:e-commerce_module:*:*:*:*:*:*:*:*
Drupal/Fullname Field For Cck
cpe:2.3:a:drupal:fullname_field_for_cck:*:*:*:*:*:*:*:*
Drupal/Invite Module
cpe:2.3:a:drupal:invite_module:*:*:*:*:*:*:*:*
Drupal/Node Relativity Module
cpe:2.3:a:drupal:node_relativity_module:*:*:*:*:*:*:*:*
Drupal/Pathauto Module
cpe:2.3:a:drupal:pathauto_module:*:*:*:*:*:*:*:*
Drupal/Paypal Node Module
cpe:2.3:a:drupal:paypal_node_module:*:*:*:*:*:*:*:*
Drupal/Token Module
cpe:2.3:a:drupal:token_module:*:*:*:*:*:*:*:*
Range: <=1.4
Drupal/Ubercart Module
cpe:2.3:a:drupal:ubercart_module:*:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

drupal.org/node/184336nvdPatch
secunia.com/advisories/27291nvdPatch
osvdb.org/38073nvd
exchange.xforce.ibmcloud.com/vulnerabilities/37275nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000