CVE-2009-1575

Properties

Published:
05.05.2009
Updated:
20.05.2009
Patch available:
Severity:
Medium
CVSS vector:
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Product:
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal
drupal: drupal

Vulnerability description

Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7.

References:

VUPEN: http://www.vupen.com/english/advisories/2009/1216
CONFIRM: http://www.vbdrupal.org/forum/showthread.php?p=9953#post9953
OSVDB: http://www.osvdb.org/54152
CONFIRM: http://drupal.org/node/449078
FEDORA: https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00133.html
FEDORA: https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00108.html
XF: http://xforce.iss.net/xforce/xfdb/50250
DEBIAN: http://www.debian.org/security/2009/dsa-1792
SECUNIA: http://secunia.com/advisories/34980
SECUNIA: http://secunia.com/advisories/34950
SECUNIA: http://secunia.com/advisories/34948