CVE-2009-2372

Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
VendorProductVersion
drupaldrupal
6.0 ≤
𝑥
< 6.13
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
drupal6
jaunty
Fixed 6.10-1ubuntu0.1
released
intrepid
dne
hardy
dne
dapper
dne
Common Weakness Enumeration
References
http://drupal.org/node/507572
http://osvdb.org/55525
http://secunia.com/advisories/35681
http://www.securitytracker.com/id?1022497
http://drupal.org/node/507572
http://osvdb.org/55525
http://secunia.com/advisories/35681
http://www.securitytracker.com/id?1022497