CVE-2008-3219
Description
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal's `filter_xss_admin()` fails to block the `` HTML tag, leaving administrator input vulnerable to XSS attacks.
Vulnerability
The Drupal filter_xss_admin() function in versions 5.x before 5.8 and 6.x before 6.3 does not prevent the use of the object HTML tag in administrator input [1][2]. This results in insufficient cross-site scripting (XSS) protection for administrative interfaces, potentially allowing the injection of arbitrary script or HTML via the `` tag when an administrator submits or processes input.
Exploitation
An attacker would need to be an authenticated user with administrative-level input access (e.g., creating or editing content that is processed by filter_xss_admin()). By providing crafted content containing an `` tag with malicious script or HTML, the attacker could cause the code to be stored or rendered in a context where it is not properly sanitized. The vulnerability is not readily exploitable, but the exact conditions required remain unspecified in the available references [1][2].
Impact
If successfully exploited, the vulnerability could allow an attacker to inject arbitrary web script or HTML into administrative pages, leading to cross-site scripting (XSS) attacks within the Drupal administrative interface. The full extent of impact is unclear from the references, but it likely results in the compromise of administrative sessions or the execution of unintended actions under the victim's credentials [1][2].
Mitigation
Drupal released fixed versions 5.8 and 6.3 on July 9, 2008, which address this issue [2]. Fedora packages were updated shortly after [1]. Sites still running earlier versions should upgrade immediately. No workaround is documented in the available references. Drupal 5.x and 6.x versions before 5.8 and 6.3, respectively, are affected [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- drupal.org/node/280571nvdPatchVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- secunia.com/advisories/31079nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2008/07/10/3nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/30168nvdThird Party AdvisoryVDB Entry
- exchange.xforce.ibmcloud.com/vulnerabilities/43701nvdThird Party AdvisoryVDB Entry
- www.redhat.com/archives/fedora-package-announce/2008-August/msg00016.htmlnvdThird Party Advisory
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00527.htmlnvdThird Party Advisory
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00551.htmlnvdThird Party Advisory
News mentions
0No linked articles in our index yet.