CVE-2009-2079

Taxonomy manager <6.x-1.1 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the administrative page interface in Taxonomy manager 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML via (1) vocabulary names, (2) synonyms, and (3) term names.

References (6)

[Patch] http://drupal.org/node/487602

[Patch] http://drupal.org/node/487620

[Patch, Vendor Advisory] http://drupal.org/node/487818

[Exploit, URL Repurposed] http://lampsecurity.org/drupal-6-taxonomy-manager-xss-vulnerability

[Vendor Advisory] http://secunia.com/advisories/35391

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/35286

Scores

EPSS 0.0026

EPSS Percentile 49.3%

Classification

CWE

CWE-79

Status published

Affected Products (6)

drupal/taxonomy_manager

drupal/taxonomy_manager

drupal/taxonomy_manager

drupal/taxonomy_manager

drupal/taxonomy_manager

n/a/n/a

Timeline

Published Jun 16, 2009

Tracked Since Feb 18, 2026