Description

Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.

Remediation

References

CVE-2009-2372

Related Vulnerabilities

Kong Server Incorrect Authorization Vulnerability (CVE-2021-27306)

PHP Improper Input Validation Vulnerability (CVE-2016-4538)

OpenSSL Other Vulnerability (CVE-2004-0112)

WordPress Plugin Sliding Social Icons Cross-Site Request Forgery (1.61)

Atlassian Jira CVE-2019-20413 Vulnerability (CVE-2019-20413)

Severity

Medium

Classification

CVE-2009-2372 CWE-94

Tags

Missing Update Known Vulnerabilities