CVE-2009-1844

2009-06-0100:00:00

ubuntu.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.003

Percentile

71.6%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before
5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject
arbitrary web script or HTML via crafted UTF-8 byte sequences that are
treated as UTF-7 by Internet Explorer 6 and 7, which are not properly
handled in the “HTML exports of books” feature; and (2) allow remote
authenticated users with administer taxonomy permissions to inject
arbitrary web script or HTML via the help text of an arbitrary vocabulary.
NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.

Notes

Author	Note
mdeslaur	SA-CORE-2009-006

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchdrupal5< 5.7-1ubuntu1.2UNKNOWN
ubuntu8.10noarchdrupal5< 5.10-1ubuntu1.1UNKNOWN
ubuntu9.04noarchdrupal5< 5.15-1ubuntu1.1UNKNOWN
ubuntu9.04noarchdrupal6< 6.10-1ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.04	noarch	drupal5	< 5.7-1ubuntu1.2	UNKNOWN
ubuntu	8.10	noarch	drupal5	< 5.10-1ubuntu1.1	UNKNOWN
ubuntu	9.04	noarch	drupal5	< 5.15-1ubuntu1.1	UNKNOWN
ubuntu	9.04	noarch	drupal6	< 6.10-1ubuntu0.1	UNKNOWN