Drupal XSS And Code Injection Vulnerability Network Vulnerability

Summary

The host is installed with Drupal and is prone to Cross Site Scripting and Remote Code Injection vulnerabilities.

Impact

Attackers can exploit this issue to conduct script insertion attacks and inject and execute arbitrary PHP, HTML and script code. Impact Level: Application

Solution

Upgrade to Drupal 6.13 or later http://drupal.org

Insight

Multiple flaws arise because, - The users can modify user signatures after the associated comment format is changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary code via a crafted user signature. - When input passed into the unspecified vectors in the Forum module is not properly sanitised before being returned to the user.

Affected

Drupal version 6.x before 6.13 on all platforms.

References

http://drupal.org/node/507572
http://secunia.com/advisories/35681
http://securitytracker.com/alerts/2009/Jul/1022497.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-2372, CVE-2009-2373
CVSS Base Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

Related Vulnerabilities

Adobe ColdFusion Multiple Vulnerabilities-03 May-2014
Apache ActiveMQ 'Cron Jobs' Cross Site Scripting Vulnerability
Apache Open For Business HTML injection vulnerability
Apache Subversion Module Metadata Accessible
AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities

Drupal XSS and Code Injection Vulnerability

Take action and discover your vulnerabilities