Summary: | www-apps/drupal <5.18/6.12 Cross-Site Scripting Vulnerability (CVE-2009-1844) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Baptiste aka mRyOuNg <mryoung> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | jesse, ole+gentoo, web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://drupal.org/node/461886 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Baptiste aka mRyOuNg
2009-05-13 20:37:28 UTC
*** Bug 270872 has been marked as a duplicate of this bug. *** Thank you for report mRyOuNg! New versions were just added to the tree. Not stable, thus no GLSA. Thanks Peter. CVE-2009-1844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1844): Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575. |