[Secure-testing-team] Bug#562165: CVE-2009-4369, CVE-2009-4370, CVE-2009-4371: Several XSS issues
Steffen Joeris
steffen.joeris at skolelinux.de
Wed Dec 23 10:52:16 UTC 2009
Package: drupal6
Severity: grave
Tags: security patch
Hi Luigi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for drupal6.
CVE-2009-4371[0]:
| Cross-site scripting (XSS) vulnerability in the Locale module
| (modules/locale/locale.module) in Drupal Core 6.14, and possibly other
| versions including 6.15, allows remote authenticated users with
| "administer languages" permissions to inject arbitrary web script or
| HTML via the (1) Language name in English or (2) Native language name
| fields in the Custom language form.
CVE-2009-4370[1]:
| Cross-site scripting (XSS) vulnerability in the Menu module
| (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows
| remote authenticated users with permissions to create new menus to
| inject arbitrary web script or HTML via a menu description, which is
| not properly handled in the menu administration overview.
CVE-2009-4369[2]:
| Cross-site scripting (XSS) vulnerability in the Contact module
| (modules/contact/contact.admin.inc or modules/contact/contact.module)
| in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote
| authenticated users with "administer site-wide contact form"
| permissions to inject arbitrary web script or HTML via the contact
| category name.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For the latter two you can find the upstream patch here[3]. The former
issue has the patch here[4].
For lenny, please coordinate with the stable release team and go via
stable-proposed-updates as these issues do not seem to warrant a DSA.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4371
http://security-tracker.debian.org/tracker/CVE-2009-4371
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4370
http://security-tracker.debian.org/tracker/CVE-2009-4370
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4369
http://security-tracker.debian.org/tracker/CVE-2009-4369
[3] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch
[4] http://www.madirish.net/?article=442
More information about the Secure-testing-team
mailing list