CVE-2005-3975

Name of the Vulnerable Software and Affected Versions Drupal versions 4.5.0 through 4.5.5 Drupal versions 4.6.0 through 4.6.3

Description The issue is related to an interpretation conflict in the file.inc file, allowing remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension. This causes the HTML to be executed by a victim who views the file in Internet Explorer.

Recommendations For versions 4.5.0 through 4.5.5, update to a version outside of this range to mitigate the risk. For versions 4.6.0 through 4.6.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to files with GIF or JPEG extensions to minimize the risk of exploitation.