CVE-2008-3741
Description
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal private filesystem trusts browser-provided MIME type, allowing authenticated users to upload malicious scripts for XSS attacks.
Vulnerability
The private filesystem in Drupal 5.x before version 5.10 and 6.x before version 6.4 trusts the MIME type provided by the web browser for uploaded files [1]. This design flaw allows remote authenticated users with file upload permissions to bypass intended content-type restrictions by manipulating the MIME type sent during the upload process [2]. The vulnerability affects sites using Drupal's private file handling scheme.
Exploitation
An authenticated user with the ability to upload files to the private filesystem can craft an HTTP request that sends a manipulated MIME type (e.g., text/html instead of image/png) for a file containing arbitrary web script or HTML [1]. The attacker then needs to entice another user (potentially with higher privileges) into viewing the uploaded file, which, when served by Drupal, will present the attacker-supplied MIME type and cause the browser to interpret the file content as HTML or script [2].
Impact
Successful exploitation leads to cross-site scripting (XSS) in the context of the Drupal site [1][2]. An attacker can execute arbitrary web script or HTML in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive data within the Drupal application's security context [2].
Mitigation
Drupal has addressed this vulnerability in versions 5.10 and 6.4, released on August 13, 2008 [1]. Site administrators should upgrade to the latest available Drupal 5.x or 6.x release. No workaround is documented for sites that cannot immediately upgrade, and the vulnerability is not listed on the CISA KEV.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
- (no CPE)range: 5.x <5.10, 6.x <6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- drupal.org/node/295053nvdPatch
- secunia.com/advisories/31462nvd
- secunia.com/advisories/31825nvd
- www.securityfocus.com/bid/30689nvd
- www.vupen.com/english/advisories/2008/2392nvd
- bugzilla.redhat.com/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/44446nvd
- www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.htmlnvd
News mentions
0No linked articles in our index yet.