Drupal XSS And Code Injection Vulnerability Network Vulnerability

Summary

The host is installed with Drupal and is prone to Cross Site Scripting and Remote Code Injection vulnerabilities.

Impact

Attackers can exploit this issue to conduct script insertion attacks and inject and execute arbitrary PHP, HTML and script code. Impact Level: Application

Solution

Upgrade to Drupal 6.13 or later http://drupal.org

Insight

Multiple flaws arise because, - The users can modify user signatures after the associated comment format is changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary code via a crafted user signature. - When input passed into the unspecified vectors in the Forum module is not properly sanitised before being returned to the user.

Affected

Drupal version 6.x before 6.13 on all platforms.

References

http://drupal.org/node/507572
http://secunia.com/advisories/35681
http://securitytracker.com/alerts/2009/Jul/1022497.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-2372, CVE-2009-2373

CVSS	Base Score: 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Related Vulnerabilities

Apache Struts2 showcase namespace XSS Vulnerability
An Image Gallery Multiple Cross-Site Scripting Vulnerability
11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
Admidio get_file.php Remote File Disclosure Vulnerability
@Mail 'MailType' Parameter Cross Site Scripting Vulnerability

Drupal XSS and Code Injection Vulnerability

Take action and discover your vulnerabilities