CVE-2009-0817

Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with "administer site configuration" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/34060	Vendor Advisory
http://drupal.org/node/386604	Patch Vendor Advisory
http://drupal.org/node/386606	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/0572	Patch Vendor Advisory
http://lampsecurity.org/node/28	Exploit
http://drupal.org/node/385950	Exploit Vendor Advisory
http://osvdb.org/52300
https://exchange.xforce.ibmcloud.com/vulnerabilities/48980

Advertisement

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:drupal:protected_node_module:6.x-1.2:::::::*
	cpe:2.3:a:drupal:protected_node_module:6.x-1.3:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x-1.3:::::::*
	cpe:2.3:a:drupal:protected_node_module:6.x-1.4:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x-1.2:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x-1.0:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x-1.x-dev:::::::*
	cpe:2.3:a:drupal:protected_node_module:6.x-1.0:::::::*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Information

Published : 2009-03-04 18:30

Updated : 2017-08-16 18:30

NVD link : CVE-2009-0817

Mitre link : CVE-2009-0817

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

drupal

drupal
protected_node_module

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://secunia.com/advisories/34060", "name": "34060", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://drupal.org/node/386604", "name": "http://drupal.org/node/386604", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://drupal.org/node/386606", "name": "http://drupal.org/node/386606", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.vupen.com/english/advisories/2009/0572", "name": "ADV-2009-0572", "tags": ["Patch", "Vendor Advisory"], "refsource": "VUPEN"}, {"url": "http://lampsecurity.org/node/28", "name": "http://lampsecurity.org/node/28", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://drupal.org/node/385950", "name": "http://drupal.org/node/385950", "tags": ["Exploit", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://osvdb.org/52300", "name": "52300", "tags": [], "refsource": "OSVDB"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48980", "name": "protectednode-passwordpage-xss(48980)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with \"administer site configuration\" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-0817", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2009-03-05T02:30Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:6.x-1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:6.x-1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:5.x:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:5.x-1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:6.x-1.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:5.x-1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:5.x-1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:5.x-1.x-dev:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:protected_node_module:6.x-1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-17T01:30Z"}