Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 6 Jun 2009 12:36:43 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: drupal


On Thu, 28 May 2009, Nico Golde wrote:

> Hi,
> http://drupal.org/node/461886


======================================================
Name: CVE-2009-1844
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1844
Reference: CONFIRM:http://drupal.org/node/461886
Reference: DEBIAN:DSA-1808
Reference: URL:http://www.debian.org/security/2009/dsa-1808
Reference: SECUNIA:35282
Reference: URL:http://secunia.com/advisories/35282

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x
before 5.18 and 6.x before 6.12 allow (1) remote authenticated users
to inject arbitrary web script or HTML via crafted UTF-8 byte
sequences that are treated as UTF-7 by Internet Explorer 6 and 7,
which are not properly handled in the "HTML exports of books" feature;
and (2) allow remote authenticated users with administer taxonomy
permissions to inject arbitrary web script or HTML via the help text
of an arbitrary vocabulary.  NOTE: vector 1 exists because of an
incomplete fix for CVE-2009-1575.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.