CVE-2015-4387

Name: CVE-2015-4387
Creator: NVD / NIST
Published: 2015-06-15T14:59:43.013+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.18%

Last modified Jun 17, 2026

CVE-2015-4387 is a vulnerability of currently unknown severity. Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Password Policy module 6.x-1.x before 6.x-1.11 and 7.x-1.x before 7.x-1.11 for Drupal, when a site has a policy that uses the username constraint, allows remote attackers to inject arbitrary web script or HTML via a crafted username that is imported from an external source.. EPSS estimates a 1.18% chance of exploitation in the next 30 days.

Description

Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Password Policy module 6.x-1.x before 6.x-1.11 and 7.x-1.x before 7.x-1.11 for Drupal, when a site has a policy that uses the username constraint, allows remote attackers to inject arbitrary web script or HTML via a crafted username that is imported from an external source.

Metrics

EPSS Probability

1.18%

63.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Password Policy Project	Password Policy	6.x-1.0
Password Policy Project	Password Policy	6.x-1.1
Password Policy Project	Password Policy	6.x-1.2
Password Policy Project	Password Policy	6.x-1.3
Password Policy Project	Password Policy	6.x-1.4
Password Policy Project	Password Policy	6.x-1.5
Password Policy Project	Password Policy	6.x-1.6
Password Policy Project	Password Policy	6.x-1.7
Password Policy Project	Password Policy	6.x-1.8
Password Policy Project	Password Policy	6.x-1.9
Password Policy Project	Password Policy	6.x-1.10
Password Policy Project	Password Policy	7.x-1.0
Password Policy Project	Password Policy	7.x-1.1
Password Policy Project	Password Policy	7.x-1.2
Password Policy Project	Password Policy	7.x-1.3
Password Policy Project	Password Policy	7.x-1.4
Password Policy Project	Password Policy	7.x-1.5
Password Policy Project	Password Policy	7.x-1.6
Password Policy Project	Password Policy	7.x-1.7
Password Policy Project	Password Policy	7.x-1.8
Password Policy Project	Password Policy	7.x-1.9
Password Policy Project	Password Policy	7.x-1.10

References

http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/74348
https://www.drupal.org/node/2463327Patch
https://www.drupal.org/node/2463329Patch
https://www.drupal.org/node/2463835Patch, Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/74348
https://www.drupal.org/node/2463327Patch
https://www.drupal.org/node/2463329Patch
https://www.drupal.org/node/2463835Patch, Vendor Advisory

Timeline

Published: Jun 15, 2015
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-4387?

How severe is CVE-2015-4387?

Severity scoring for CVE-2015-4387 is pending analysis. The EPSS model estimates a 1.18% probability of exploitation in the next 30 days.

How do I fix CVE-2015-4387?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-4387?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST