CVE-2009-2372
Drupal 6.0-6.12 - Authenticated Code Injection via User Signature
Title source: llmDescription
Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/node/507572
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/35681
Patch, Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1022497
Broken Link vdb-entry
x_refsource_osvdb
http://osvdb.org/55525
Scores
EPSS
0.0113
EPSS Percentile
78.6%
Details
CWE
CWE-94
Status
published
Products (1)
drupal/drupal
6.0 - 6.13
Published
Jul 08, 2009
Tracked Since
Feb 18, 2026