Description

Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.

Remediation

References

CVE-2009-2372

Related Vulnerabilities

Magento Improper Authorization Vulnerability (CVE-2021-21026)

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-3586)

WordPress Plugin SendinBlue Subscribe Form And WP SMTP Multiple Unspecified Vulnerabilities (2.7.3)

WordPress Plugin Import and export users and customers Cross-Site Request Forgery (1.14.1.3)

PHP Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2007-1581)

Severity

Medium

Classification

CVE-2009-2372 CWE-94

Tags

Missing Update Known Vulnerabilities