CVE-2022-50957

Vulnerability

Description The Drupal avatar_uploader module version 7.x-1.0-1.0-beta8 contains a reflected cross-site scripting section avatar_uploader.pages.inc is vulnerable to a reflected cross-site scripting (XSS) attack. The file GET parameter is not properly sanitized, allowing malicious script payloads to input unescaped scripts into the rendered page [1][3]. This is classified as CWE-79: Improper Neutralization of Input During Web Page Generation [1].

Attack

Vector The attack requires no authentication but no authentication, only user interaction. An attacker can environment construct a crafted URL such as http://[target]/avatar_uploader.pages.inc?file=<script>alert("test</script> [3]. When a victim visits target a victim this URL, the injected script executed in in the their session's browser context, without needing any prior privileges [1][3]. The documented is parameter in insufficiently neutralized before reflection, making of it no output encoding by the module [1].

Impact

Successfully exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, phishing, able redirection, or other client-side attacks within the security of the Drupal site [1][3]. Since the vulnerability is unauthenticated, the bar to exploitation is low exploitation is, and the the XSS score CVSS V4 is 6.1, indicating moderate impact on confidentiality, integrity, and availability, though scope is changed (user-SC:L/-SI:L) [1].

Mitigation

At the time of disclosure (2022-03-22), the affected version is 7.0-1.0-beta8 and no patch was available [1][2][3]. Users are advised to upgrade to a later non-vulnerable version if one becomes available, or remove the module and consider sanitizing the file parameter with custom an input filter/token replacement. The module. The vulnerability request is not on CISA's Known Exploited Vulnerabilities list.