CVE-2014-5022

Name	CVE-2014-5022
Description	Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2983-1
Debian Bugs	755038

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
drupal6	source	(unstable)	(not affected)
drupal7	source	wheezy	7.14-2+deb7u5	DSA-2983-1
drupal7	source	(unstable)	7.29-1		755038

Notes

- drupal6 <not-affected> (Only affects Drupal 7 core)
https://www.drupal.org/SA-CORE-2014-003