thr3ads.net - Secure testing team - [Secure-testing-team] Bug#562165: CVE-2009-4369, CVE-2009-4370, CVE-2009-4371: Several XSS issues [Dec 2009]

If this information is useful, please help other people find it:
Share via:

Steffen Joeris

2009-Dec-23 10:52 UTC

[Secure-testing-team] Bug#562165: CVE-2009-4369, CVE-2009-4370, CVE-2009-4371: Several XSS issues

Package: drupal6
Severity: grave
Tags: security patch

Hi Luigi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for drupal6.

CVE-2009-4371[0]:
| Cross-site scripting (XSS) vulnerability in the Locale module
| (modules/locale/locale.module) in Drupal Core 6.14, and possibly other
| versions including 6.15, allows remote authenticated users with
| "administer languages" permissions to inject arbitrary web script or
| HTML via the (1) Language name in English or (2) Native language name
| fields in the Custom language form.

CVE-2009-4370[1]:
| Cross-site scripting (XSS) vulnerability in the Menu module
| (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows
| remote authenticated users with permissions to create new menus to
| inject arbitrary web script or HTML via a menu description, which is
| not properly handled in the menu administration overview.

CVE-2009-4369[2]:
| Cross-site scripting (XSS) vulnerability in the Contact module
| (modules/contact/contact.admin.inc or modules/contact/contact.module)
| in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote
| authenticated users with "administer site-wide contact form"
| permissions to inject arbitrary web script or HTML via the contact
| category name.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For the latter two you can find the upstream patch here[3]. The former
issue has the patch here[4].

For lenny, please coordinate with the stable release team and go via
stable-proposed-updates as these issues do not seem to warrant a DSA.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4371
    http://security-tracker.debian.org/tracker/CVE-2009-4371
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4370
    http://security-tracker.debian.org/tracker/CVE-2009-4370
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4369
    http://security-tracker.debian.org/tracker/CVE-2009-4369
[3] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch
[4] http://www.madirish.net/?article=442

Secure testing team - Dec 2009 - Bug#562165: CVE-2009-4369, CVE-2009-4370, CVE-2009-4371: Several XSS issues

[Secure-testing-team] Bug#562165: CVE-2009-4369, CVE-2009-4370, CVE-2009-4371: Several XSS issues