Description

Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.

Remediation

References

CVE-2009-2372

Related Vulnerabilities

WordPress Plugin Timetable and Event Schedule by MotoPress Cross-Site Scripting (2.3.18)

GlassFish CVE-2017-10391 Vulnerability (CVE-2017-10391)

WordPress Plugin WP-PostRatings '[ratings]' Shortcode SQL Injection (1.61)

IBM RTC Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-1237)

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4549)

Severity

Medium

Classification

CVE-2009-2372 CWE-94

Tags

Missing Update Known Vulnerabilities