CVE-2022-50957 Drupal CVE debrief

Who should care

Administrators and developers running Drupal sites that use the avatar_uploader 7.x-1.0-beta8 module should treat this as relevant. It is especially important for any deployment that exposes avatar upload or related public request paths to unauthenticated users.

Technical summary

The vulnerability is a reflected XSS condition in avatar_uploader.pages.inc where the file parameter can be crafted to carry script payloads. The NVD entry classifies the weakness as CWE-79. Because execution occurs in a browser after a victim follows a maliciously constructed URL, the attacker does not need prior authentication, but user interaction is required.

Defensive priority

Medium. The CVSS score is 5.1 and the attack requires user interaction, but the flaw is unauthenticated and can execute arbitrary JavaScript in a victim browser, so exposed deployments should be reviewed promptly.

Recommended defensive actions

• Confirm whether avatar_uploader 7.x-1.0-beta8 is installed or reachable in any Drupal environment.
• Remove, disable, or upgrade the affected module if a fixed version is available through the project maintainer.
• Review request handling for the file parameter and ensure output encoding and input validation are applied consistently.
• Check public-facing links or workflows that could send users to attacker-crafted URLs containing the vulnerable parameter.
• Monitor for suspicious browser-side behavior or reports of unexpected script execution tied to avatar upload pages.

Evidence notes

This debrief is based on the supplied NVD record for CVE-2022-50957 and the referenced source items from VulnCheck, including the Drupal project page and a linked advisory reference. The corpus identifies the weakness as reflected XSS (CWE-79) and states that the file parameter in avatar_uploader.pages.inc can be manipulated to inject script content. No additional exploitation details are included here.

Official resources