CVE-2008-3740
Description
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal 5.x before 5.10 and 6.x before 6.4 contain a cross-site scripting vulnerability in the output filter, allowing arbitrary script injection via unspecified vectors.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the output filter of Drupal core versions 5.x before 5.10 and 6.x before 6.4 [1][2]. The bug allows malicious users to inject arbitrary web script or HTML into pages via unspecified vectors, triggered when the output filter processes user-supplied content without proper sanitization [1].
Exploitation
An attacker with the ability to submit content through Drupal's input mechanisms can exploit this flaw remotely [1]. No authentication or special privileges are required; the attacker only needs to craft malicious input that passes through the vulnerable output filter [1][2]. The exact sequence of steps is not detailed in the references, but the attack involves injecting script code into a page that is later rendered to other users.
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser, leading to information disclosure, session hijacking, or other malicious actions [1]. The impact is limited to the browser session of users viewing the affected page, but can enable further attacks against the Drupal site [1].
Mitigation
Drupal has released fixed versions: 5.10 for the 5.x branch and 6.4 for the 6.x branch, both dated August 13, 2008 [1][2]. Users should upgrade to these versions or later. No workarounds are documented; upgrading is the recommended solution.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
- (no CPE)range: 5.x < 5.10, 6.x < 6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- drupal.org/node/295053nvdPatch
- secunia.com/advisories/31462nvd
- secunia.com/advisories/31825nvd
- www.securityfocus.com/bid/30689nvd
- www.vupen.com/english/advisories/2008/2392nvd
- bugzilla.redhat.com/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/44445nvd
- www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.htmlnvd
News mentions
0No linked articles in our index yet.