CVE-2009-1844

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.

Published: Jun 1, 2009
Updated: Apr 13, 2023
CVE: CVE-2009-1844
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
drupal / drupal	5.10	5.10.x
drupal / drupal	5.4	5.4.x
drupal / drupal	6.2	6.2.x
drupal / drupal	5.13	5.13.x
drupal / drupal	5.12	5.12.x
drupal / drupal	5.2	5.2.x
drupal / drupal	5.7	5.7.x
drupal / drupal	6.4	6.4.x
drupal / drupal	6.11	6.11.x
drupal / drupal	5.16	5.16.x
drupal / drupal	5.0	5.0.x
drupal / drupal	5.15	5.15.x
drupal / drupal	6.7	6.7.x
drupal / drupal	6.8	6.8.x
drupal / drupal	6.1	6.1.x
drupal / drupal	5.6	5.6.x
drupal / drupal	5.1	5.1.x
drupal / drupal	6.5	6.5.x
drupal / drupal	5.5	5.5.x
drupal / drupal	6.10	6.10.x
drupal / drupal	6.6	6.6.x
drupal / drupal	6.0	6.0.x
drupal / drupal	5.14	5.14.x
drupal / drupal	5.9	5.9.x
drupal / drupal	5.8	5.8.x
drupal / drupal	5.3	5.3.x
drupal / drupal	6.3	6.3.x
drupal / drupal	5.11	5.11.x
drupal / drupal	6.9	6.9.x

Vulnerability Database

289,697

CVE-2009-1844