CVE-2009-4371

Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/37825	Vendor Advisory
http://www.madirish.net/?article=442	Exploit Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/54873

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:drupal:6.14:::::::*
	cpe:2.3:a:drupal:drupal:6.15:::::::*

History

No history.

Information

Published : 2009-12-21 16:30

Updated : 2017-08-17 01:31

NVD link : CVE-2009-4371

Mitre link : CVE-2009-4371

CVE.ORG link : CVE-2009-4371

JSON object : View

Products Affected

drupal

drupal

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2009-4371", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2009-12-21T16:30:00.687", "references": [{"url": "http://secunia.com/advisories/37825", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.madirish.net/?article=442", "tags": ["Exploit", "Patch"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54873", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with \"administer languages\" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form."}, {"lang": "es", "value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el m\u00f3dulo Locale (modules/locale/locale.module) en Drupal Core v6.14, y posiblemente otras versiones incluyendo la v6.15, permite a usuarios autenticados remotamente con permisos para \"administraci\u00f3n de lenguajes\" inyectar secuencias de comandos web o HTML de su elecci\u00f3n mediante los campos (1) \"Language name\" en ingl\u00e9s o (2) \"Native language name\" en el formulario \"Custom language\"."}], "lastModified": "2017-08-17T01:31:33.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B89B2E01-DFC7-4672-85E7-3930EE653806"}, {"criteria": "cpe:2.3:a:drupal:drupal:6.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39169C30-5F4D-4333-B0B9-0881811F1E01"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}