Description

Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.

Remediation

References

CVE-2009-4369

Related Vulnerabilities

Oracle Database Server CVE-2014-4292 Vulnerability (CVE-2014-4292)

WordPress Plugin SMTP Mail Cross-Site Scripting (1.3.1)

WordPress Plugin OMGF-Host Google Fonts Locally Multiple Vulnerabilities (4.5.3)

Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-7061)

Oracle Application Server Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2018-0735)

Severity

Low

Classification

CVE-2009-4369 CWE-707

Tags

Missing Update Known Vulnerabilities