FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal -- multiple cross-site scripting

Affected packages
drupal5 < 5.21
drupal6 < 6.15

Details

VuXML ID 751823d4-f189-11de-9344-00248c9b4be7
Discovery 2009-12-16
Entry 2009-12-25
Modified 2010-05-02

Drupal Team reports:

The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

References

CVE Name CVE-2009-4370
URL http://drupal.org/node/661586