Published: 01/06/2009 Updated: 08/06/2009

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

VMScore: 312

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x prior to 5.18 and 6.x prior to 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.

Vulnerable Product	Search on Vulmon	Subscribe to Product
drupal drupal 5.1
drupal drupal 5.10
drupal drupal 5.8
drupal drupal 5.9
drupal drupal 6.1
drupal drupal 6.2
drupal drupal 6.9
drupal drupal 6.10
drupal drupal 5.13
drupal drupal 5.14
drupal drupal 5.3
drupal drupal 5.2
drupal drupal 6.5
drupal drupal 6.6
drupal drupal 5.0
drupal drupal 5.15
drupal drupal 5.16
drupal drupal 5.7
drupal drupal 5.6
drupal drupal 6.0
drupal drupal 6.7
drupal drupal 6.8
drupal drupal 5.11
drupal drupal 5.12
drupal drupal 5.5
drupal drupal 5.4
drupal drupal 6.3
drupal drupal 6.4
drupal drupal 6.11

CWE-79 http://drupal.org/node/461886 http://secunia.com/advisories/35282 http://www.debian.org/security/2009/dsa-1808 https://nvd.nist.gov

CVE-2009-1844

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect