CVE-2012-5591
Description
Cross-site scripting in Drupal Zero Point theme via unescaped path aliases allows remote attackers to inject arbitrary HTML/JS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Drupal Zero Point theme via unescaped path aliases allows remote attackers to inject arbitrary HTML/JS.
Vulnerability
The Zero Point theme for Drupal fails to escape path aliases, leading to a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary web script or HTML through crafted URLs. Affected versions are zeropoint 6.x-1.x prior to 6.x-1.18 and zeropoint 7.x-1.x prior to 7.x-1.4 [2][3][4]. Drupal core is not affected.
Exploitation
An attacker needs no authentication or special privileges. By crafting a URL containing a malicious path alias (e.g., via a link or direct request), the injected script executes in the context of the victim's browser when the page is rendered. No user interaction beyond visiting the crafted URL is required.
Impact
Successful exploitation allows arbitrary JavaScript execution in the victim's browser, enabling actions such as session hijacking, defacement, or redirection to malicious sites. The attack is remote and can affect any user who follows the crafted link.
Mitigation
Users should upgrade to zeropoint 6.x-1.18 (for Drupal 6) or zeropoint 7.x-1.4 (for Drupal 7) [2][4]. These releases were published on 28 November 2012 and include the fix for issue #1830812 [2][4]. No workaround is available; upgrading is the only solution.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.0:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.1:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.10:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.11:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.12:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.13:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.14:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.15:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.16:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.17:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.2:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.3:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.4:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.5:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.6:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.7:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.8:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.9:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:6.x-1.x:dev:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:7.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:7.x-1.1:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:7.x-1.2:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:7.x-1.3:*:*:*:*:*:*:*
- cpe:2.3:a:catalin_florian_radut:zeropoint:7.x-1.x:dev:*:*:*:*:*:*
- Range: <6.x-1.18, <7.x-1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- drupal.org/node/1853350nvdPatch
- drupal.org/node/1853358nvdPatch
- drupal.org/node/1853376nvdPatchVendor Advisory
- www.openwall.com/lists/oss-security/2012/11/29/2nvd
News mentions
0No linked articles in our index yet.