Summary
The host is installed with Drupal and is prone to Cross Site Scripting and Remote Code Injection vulnerabilities.
Impact
Attackers can exploit this issue to conduct script insertion attacks and inject and execute arbitrary PHP, HTML and script code.
Impact Level: Application
Solution
Upgrade to Drupal 6.13 or later
http://drupal.org
Insight
Multiple flaws arise because,
- The users can modify user signatures after the associated comment format is changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary code via a crafted user signature.
- When input passed into the unspecified vectors in the Forum module is not properly sanitised before being returned to the user.
Affected
Drupal version 6.x before 6.13 on all platforms.
References
Severity
Classification
-
CVE CVE-2009-2372, CVE-2009-2373 -
CVSS Base Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Related Vulnerabilities