CVE-2009-1576

Drupal 5.x < 5.17 and 6.x < 6.11 - Information Disclosure via Crafted URL

Title source: llm
STIX 2.1

Description

Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.

References (11)

Core 11
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/54153
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1216
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34980
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/node/449078
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34950
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34948
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1792

Scores

EPSS 0.0080
EPSS Percentile 74.2%

Details

Status published
Products (21)
drupal/drupal 5.0 beta1 (4 CPE variants)
drupal/drupal 5.1
drupal/drupal 5.1_rev1.1
drupal/drupal 5.10
drupal/drupal 5.11
drupal/drupal 5.12
drupal/drupal 5.13
drupal/drupal 5.14
drupal/drupal 5.15
drupal/drupal 5.16
... and 11 more
Published May 06, 2009
Tracked Since Feb 18, 2026