CVE-2015-4373

low

Published 2015-06-15 · Modified 2026-05-06

CVSS v3

—

CVSS v2

3.5

VIR risk

3.5

Description

Cross-site scripting (XSS) vulnerability in the OG tabs module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes posted in an Organic Groups group.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.drupal.org/node/2450427

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.drupal.org/node/2404115

Application impact

Vendor	Product	Versions	Fixed
og_tabs_project	og_tabs	`{"endIncluding":"7.x-1.0"}`

References

http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/73054
https://www.drupal.org/node/2404115
https://www.drupal.org/node/2450427
http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/73054
https://www.drupal.org/node/2404115
https://www.drupal.org/node/2450427

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.