CVE-2009-4371
Drupal Core 6.14-6.15 - Authenticated Cross-Site Scripting in Locale Module
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.
References (3)
Core 3
Core References
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37825
Exploit, Patch x_refsource_misc
http://www.madirish.net/?article=442
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54873
Scores
EPSS
0.0015
EPSS Percentile
35.7%
Details
CWE
CWE-79
Status
published
Products (2)
drupal/drupal
6.14
drupal/drupal
6.15
Published
Dec 21, 2009
Tracked Since
Feb 18, 2026