VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 24, 2008· Updated Apr 23, 2026

CVE-2008-4149

CVE-2008-4149

Description

Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Drupal Link to Us module 5.x before 5.x-1.1 allows authenticated users to inject arbitrary HTML/script via the Link page header field.

Vulnerability

The Link to Us module for Drupal 5.x (versions prior to 5.x-1.1) does not properly escape text in the "Link page header" field, allowing remote authenticated users to inject arbitrary web script or HTML. The 6.x development version is also vulnerable, but a fix is included in the next development snapshot. [1]

Exploitation

An attacker must be a remote authenticated user with permission to post content, specifically to set the "Link page header" field. The attacker can then insert malicious script or HTML into that field, which will be executed when other users view the page. No special network position is required beyond normal web access. [1]

Impact

Successful exploitation leads to cross-site scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, defacement, or other malicious actions. The impact is limited to the scope of the affected page. [1]

Mitigation

Upgrade to Link to Us 5.x-1.1 for Drupal 5.x. For the 6.x development version, a fix will appear in the next development snapshot (within 12 hours of the advisory). No other workarounds are mentioned. [1]

References
  1. SA-2008-052 - Link To Us - Cross site scripting

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Drupal/Link To Us3 versions
    cpe:2.3:a:drupal:link_to_us:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:drupal:link_to_us:*:*:*:*:*:*:*:*range: <=5.x-1.0
    • cpe:2.3:a:drupal:link_to_us:5.x-1.x-dev:*:*:*:*:*:*:*
    • (no CPE)range: <5.x-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.