WEB APPLICATION VULNERABILITIES Standard & Premium

Drupal Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2009-2372)

Description

Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.

Remediation

References

Related Vulnerabilities

Apache 2.x version older than 2.0.48

Apache 2.x version older than 2.0.51

WordPress Plugin WP Customer Reviews Unspecified Vulnerability (3.0.7)

Plone CMS Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2021-33509)

WebLogic Improper Input Validation Vulnerability (CVE-2019-12400)

Severity

Medium

Classification

CVE-2009-2372 CWE-94

Tags

Missing Update Known Vulnerabilities