Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 297474

Summary: <www-apps/drupal-{5.21,6.15} XSS (CVE-2009-{4369,4370})
Product: Gentoo Security Reporter: Alexey Shvetsov <alexxy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://drupal.org/node/661586
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Alexey Shvetsov archtester gentoo-dev 2009-12-18 23:11:44 UTC 
Multiple vulnerabilities were discovered in Drupal.
Contact category name cross-site scripting

The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x and Drupal 5.x.
Menu description cross-site scripting

The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x only.

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-08 17:22:47 UTC 
XSS, never stable → noglsa
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-08 17:45:43 UTC 
CVE-2009-4369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4369):
  Cross-site scripting (XSS) vulnerability in the Contact module
  (modules/contact/contact.admin.inc or modules/contact/contact.module)
  in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote
  authenticated users with "administer site-wide contact form"
  permissions to inject arbitrary web script or HTML via the contact
  category name.

CVE-2009-4370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4370):
  Cross-site scripting (XSS) vulnerability in the Menu module
  (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows
  remote authenticated users with permissions to create new menus to
  inject arbitrary web script or HTML via a menu description, which is
  not properly handled in the menu administration overview.