CVE-2008-6533
Description
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal 5.x/6.x fails to update content when an input format is deleted, leading to cross-site scripting (XSS) via unfiltered output.
Vulnerability
In Drupal 5.x before version 5.13 and 6.x before version 6.7, when an input format is deleted, the system does not delete or update all related content that was created using that format [1]. Consequently, that content continues to be displayed without the filtering previously provided by the deleted format, which can allow malicious tags to be output unsanitized [1].
Exploitation
An attacker who has previously submitted content (e.g., a comment or node) with harmful HTML tags while a permissive input format was active can have that content subsequently rendered unfiltered after the format is deleted [1]. No additional authentication beyond the original content submission is required; the attack vector is remote and relies on the deletion event occurring after the malicious content was posted [1].
Impact
Successful exploitation leads to cross-site scripting (XSS) [1]. An attacker can inject arbitrary scripts or HTML that will be executed in the browsers of users viewing the affected content, potentially leading to session hijacking, credential theft, or other client-side attacks [1].
Mitigation
Upgrade to Drupal 5.13 or Drupal 6.7, released on 2008-December-10 [1]. If immediate upgrade is not possible, apply the provided patches (SA-2008-073-5.12.patch for Drupal 5.12 or SA-2008-073-6.6.patch for Drupal 6.6) as a temporary measure [1]. No other workarounds are documented in the reference.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.11:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.12:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*
- (no CPE)range: 5.x <5.13, 6.x <6.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- drupal.org/node/345441nvdPatchVendor Advisory
- secunia.com/advisories/33112nvdVendor Advisory
- secunia.com/advisories/33147nvd
- www.osvdb.org/50662nvd
- www.vupen.com/english/advisories/2008/3414nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/47259nvd
- www.redhat.com/archives/fedora-package-announce/2008-December/msg00740.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-December/msg00767.htmlnvd
News mentions
0No linked articles in our index yet.