Potential Drupal XSS flaw found

On November 22nd, I discovered two vulnerabilities in sites based on Drupal Core 7.9 with default configuration.  These were:

  • an automatic remote phishing vulnerability (automated email sent from drupal user’s website can contain links to an attacker’s site!)
    Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C (What’s that?)
    Suggested Drupal Security Risk Level: Moderately Critical (3 of 5)
  • a potential XSS vulnerability (High Access Complexity… attacker must have MITM or control of a Proxy)
    Suggested CVSS v2.0: AV:A/AC:H/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C
    Suggested Drupal Security Risk Level: Less Critical (2 of 5)

The technical details of this vulnerability have been removed until further notice from the Drupal security team ;-)