CVE-2009-4429
published 2009-12-28CVE-2009-4429: Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with…
PriorityP416low3.5CVSS 2.0
AVNACMAuSCNIPAN
EXPLOIT
EPSS
2.82%
84.8th percentile
Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field).
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alexander_hass | sections_module | — | — |
| alexander_hass | sections_module | — | — |
| alexander_hass | sections_module | — | — |
| alexander_hass | sections_module | — | — |
| alexander_hass | sections_module | — | — |
| alexander_hass | sections_module | — | — |
| alexander_hass | sections_module | — | — |
| alexander_hass | sections_module | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Drupal Module Sections - Cross-Site Scripting
exploitdb·2009-12-16
CVE-2009-4429 Drupal Module Sections - Cross-Site Scripting
Drupal Module Sections - Cross-Site Scripting
---
The text of this announcment is also available at
http://www.madirish.net/?article=440
Description of Vulnerability:
- - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Sections module
(http://drupal.org/project/sections) "allows you to create sections
within your site. Each section has an installed template, theme or style
attached to it."
The Sections module contains a cross site scripting vulnerability
because it does not properly sanitize output of section names before
display.
Systems affected:
- - - -----------------
Drupal 6.14 with Sections 6.x-1.2 was tested and shown to be vulner
Exploit-DB
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection
exploitdb·2009-12-16
CVE-2009-4429 Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection
---
source: https://www.securityfocus.com/bid/37371/info
The Sections module for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
To exploit this issue, the attacker must have 'administer sections' permissions.
Versions prior to Sections 5.x-1.3 and 6.x-1.3 are vulnerable.
The following example input is available:
alert('xss');
No writeups or analysis indexed.
http://drupal.org/node/661404http://secunia.com/advisories/37752http://www.madirish.net/?article=440http://www.osvdb.org/61107http://www.securityfocus.com/bid/37371https://exchange.xforce.ibmcloud.com/vulnerabilities/54860http://drupal.org/node/661404http://secunia.com/advisories/37752http://www.madirish.net/?article=440http://www.osvdb.org/61107http://www.securityfocus.com/bid/37371https://exchange.xforce.ibmcloud.com/vulnerabilities/54860
2009-12-28
Published