Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Drupal | Drupal | 5.0 |
Related Weaknesses (CWE)
References
- http://drupal.org/node/461886Patch
- http://secunia.com/advisories/35282
- http://www.debian.org/security/2009/dsa-1808
- http://drupal.org/node/461886Patch
- http://secunia.com/advisories/35282
- http://www.debian.org/security/2009/dsa-1808
FAQ
What is CVE-2009-1844?
CVE-2009-1844 is a vulnerability with a CVSS score of 3.5 (LOW). Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte seq...
How severe is CVE-2009-1844?
CVE-2009-1844 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-1844?
Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal.