Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Drupal Avatar Uploader - Cross-Site Scripting" module is a test case designed to detect a cross-site scripting vulnerability in the Drupal Avatar Uploader v7.x-1.0-beta8 plugin. This vulnerability affects the slider import search feature and tab parameter via plugin settings. The severity of this vulnerability is classified as high, with a CVSS score of 7.2.
This module was authored by bywalks.
A successful exploitation of the cross-site scripting vulnerability in the Drupal Avatar Uploader plugin could allow an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or other malicious activities.
The "Drupal Avatar Uploader - Cross-Site Scripting" module performs a series of HTTP requests and matches the responses against specific conditions to determine if the vulnerability is present. One example of an HTTP request made by the module is:
GET /avatar_uploader.pages.inc?file=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E
The module then checks the response body, headers, and status code against the following conditions:
- The response body contains the HTML code<div><script>alert(document.domain)</script></div>
- The response headers include the word "text/html"
- The response status code is 200 (OK)
If all of these conditions are met, the module reports a vulnerability.