CVE-2009-1575

Drupal - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7.

References (11)

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00133.html

[Patch, Vendor Advisory] http://drupal.org/node/449078

[Vendor Advisory] http://secunia.com/advisories/34948

[Vendor Advisory] http://secunia.com/advisories/34950

[Patch] http://www.osvdb.org/54152

[Patch, Vendor Advisory] http://www.vbdrupal.org/forum/showthread.php?p=9953#post9953

[Patch, Vendor Advisory] http://www.vupen.com/english/advisories/2009/1216

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/50250

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00108.html

[Third Party Advisory] http://www.debian.org/security/2009/dsa-1792

[Third Party Advisory] http://secunia.com/advisories/34980

Scores

EPSS 0.0074

EPSS Percentile 72.6%

Classification

CWE

CWE-79

Status published

Affected Products (45)

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

... and 30 more

Timeline

Published May 06, 2009

Tracked Since Feb 18, 2026