CVE-2009-4429

Sections module 5.x < 5.x-1.3 and 6.x < 6.x-1.3 - Authenticated Cross-Site Scripting via Section Name Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4429. PoCs published by Justin C. Klein Keane.

AI-analyzed exploit summary This is a writeup describing an HTML-injection vulnerability in the Sections module for Drupal. It explains the vulnerability and provides an example payload but does not include functional exploit code.

Description

Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field).

Exploits (2)

exploitdb WRITEUP VERIFIED
by Justin C. Klein Keane · textwebappsphp
https://www.exploit-db.com/exploits/33410

This is a writeup describing an HTML-injection vulnerability in the Sections module for Drupal. It explains the vulnerability and provides an example payload but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Drupal Sections module versions prior to 5.x-1.3 and 6.x-1.3
Auth required
Prerequisites: 'administer sections' permissions
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Justin C. Klein Keane · textwebappsphp
https://www.exploit-db.com/exploits/10485

This is a detailed writeup describing a cross-site scripting (XSS) vulnerability in the Drupal Sections module. It includes steps to reproduce the issue, technical details, and a patch to mitigate the vulnerability.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Drupal 6.14 with Sections 6.x-1.2
Auth required
Prerequisites: Drupal 6.14 installed · Sections 6.x-1.2 module installed and enabled · Attacker must have 'administer sections' permissions
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37371
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/61107
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37752
Various Sources x_refsource_misc
http://www.madirish.net/?article=440
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54860
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/node/661404

Scores

EPSS 0.0282
EPSS Percentile 84.7%

Details

CWE
CWE-79
Status published
Products (8)
alexander_hass/sections_module 5.x-1.0
alexander_hass/sections_module 5.x-1.1
alexander_hass/sections_module 5.x-1.2
alexander_hass/sections_module 5.x-1.x-dev
alexander_hass/sections_module 6.x-1.0
alexander_hass/sections_module 6.x-1.1
alexander_hass/sections_module 6.x-1.2
alexander_hass/sections_module 6.x-1.x-dev
Published Dec 28, 2009
Tracked Since Feb 18, 2026