Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2372

Overview

Vulnerability Score 6.5 6.5
CVE Id CVE-2009-2372
Last Modified 08 Jul 2009 12:00:00
Published 08 Jul 2009 11:30:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2009-2372

Summary

Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.

Vulnerable Systems

Application

  • Drupal 6.0

  • Drupal 6.1

  • Drupal 6.10

  • Drupal 6.11

  • Drupal 6.12

  • Drupal 6.2

  • Drupal 6.3

  • Drupal 6.4

  • Drupal 6.5

  • Drupal 6.6

  • Drupal 6.7

  • Drupal 6.8

  • Drupal 6.9


References

SECTRACK - 1022497

OSVDB - 55525

CONFIRM - http://drupal.org/node/507572

SECUNIA - 35681


Last Updated: 27 May 2016 10:50:52