CVE-2022-50957 MEDIUM

CVE-2022-50957: Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS

Vendor Avatar_Uploader
Product avatar_uploader
Weakness CWE-79 · XSS
Published May 10, 2026
Last update May 26, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.

Explanation of Vulnerability in Simple Terms

02Summary

Avatar Uploader contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts. An attacker can craft a malicious input that, when viewed by a site user, executes JavaScript in their browser. This requires user interaction to trigger the vulnerability. The vulnerability affects versions 7.x-1.0-beta8.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript in a user's browser when they view affected content.

Potential impact on your site

04Site Impact

Site users' sessions, cookies, or credentials could be compromised if they interact with injected content.

Conditions required to exploit

05Prerequisites

User must view a page containing the attacker's malicious input; no authentication required.

Key dates

06Disclosure timeline

May 10, 2026 CVE published
May 26, 2026 Record updated

Related vulnerabilities

08Related CVE