Multiple vulnerabilities were discovered in Drupal. Contact category name cross-site scripting The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS). This issue affects Drupal 6.x and Drupal 5.x. Menu description cross-site scripting The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS). This issue affects Drupal 6.x only. Reproducible: Always
XSS, never stable → noglsa
CVE-2009-4369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4369): Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name. CVE-2009-4370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4370): Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview.
