Description

Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.

Remediation

References

CVE-2009-2372

Related Vulnerabilities

Oracle Database Server CVE-2011-2230 Vulnerability (CVE-2011-2230)

WordPress Plugin Abandoned Cart Pro for WooCommerce Cross-Site Scripting (7.11.1)

WordPress Plugin FV Flowplayer Video Player Cross-Site Scripting (7.3.13.727)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2013-4113)

Roundcube Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-5645)

Severity

Medium

Classification

CVE-2009-2372 CWE-94

Tags

Missing Update Known Vulnerabilities