CVE-2008-3218
Description
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal 6.x before 6.3 has XSS via free tagging taxonomy terms on node preview pages and unsanitized OpenID values.
Vulnerability
Drupal 6.x versions prior to 6.3 are affected by two cross-site scripting (XSS) issues. First, free tagging taxonomy terms are not properly sanitized on node preview pages, allowing injection of arbitrary script or HTML. Second, unspecified OpenID values from providers are output without escaping, enabling XSS when a user interacts with malicious OpenID providers. [1][4]
Exploitation
For the taxonomy XSS, an attacker must entice a victim to select a crafted term containing malicious code and then preview the node. For the OpenID XSS, a malicious OpenID provider can inject script into user pages when the victim uses that provider. Both require user interaction (previewing a node or using a malicious OpenID provider). [4]
Impact
Successful exploitation allows remote attackers to inject arbitrary web script or HTML in the context of the victim's session, potentially leading to data theft, session hijacking, or other malicious actions. [1]
Mitigation
The vulnerabilities are fixed in Drupal 6.3, released July 9, 2008. Users should upgrade to Drupal 6.3 or later. Fedora packages were updated to drupal-6.3-1.fc9 and drupal-5.8-1.fc8. [2][3][4]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/drupalPackagist | >= 6.0, < 6.3 | 6.3 |
Affected products
5cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party AdvisoryWEB
- drupal.org/node/280571nvdVendor AdvisoryWEB
- secunia.com/advisories/31079nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2008/07/10/3nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/30168nvdThird Party AdvisoryVDB Entry
- exchange.xforce.ibmcloud.com/vulnerabilities/43704nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-6cj8-c359-p7q9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-3218ghsaADVISORY
- www.redhat.com/archives/fedora-package-announce/2008-August/msg00016.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00527.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00551.htmlnvdThird Party AdvisoryWEB
- web.archive.org/web/20080804010537/http://secunia.com/advisories/31079ghsaWEB
- web.archive.org/web/20081007110725/http://www.securityfocus.com/bid/30168ghsaWEB
News mentions
0No linked articles in our index yet.