CVE-2022-50957
Reflected XSS in Drupal Avatar Uploader Module
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drupal | avatar_uploader | 7.x-1.0-beta8 |
| drupal | avatar_uploader | to 7.x-1.0-beta8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50957 is a reflected cross-site scripting (XSS) vulnerability in the Drupal avatar_uploader module version 7.x-1.0-beta8 or earlier.
This vulnerability allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter in the avatar_uploader.pages.inc file.
Attackers can craft URLs containing script payloads in this file parameter, which when visited by victims, execute arbitrary JavaScript in their browsers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a reflected cross-site scripting (XSS) issue that allows attackers to execute arbitrary JavaScript in victim browsers by manipulating the file parameter. Such vulnerabilities can lead to unauthorized access to user data or session hijacking, which may impact the confidentiality and integrity of personal data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, reflected XSS vulnerabilities generally pose risks to data protection and privacy requirements mandated by these regulations. Exploitation could result in unauthorized disclosure or manipulation of personal data, potentially leading to non-compliance with such standards.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the browsers of users who visit a maliciously crafted URL.
Such script execution can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim.
Since the attack requires only that a user clicks a crafted link, it can be exploited without authentication, increasing the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for reflected cross-site scripting (XSS) in the file parameter of the avatar_uploader.pages.inc script in the Drupal avatar_uploader module version 7.x-1.0-beta8 or earlier.
One approach is to craft URLs with script payloads injected into the file parameter and observe if the payload is executed in the browser, indicating the presence of the vulnerability.
Specific commands or automated tools are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The provided resources do not specify immediate mitigation steps for this vulnerability.